Bug 23345

SUSE has issued an advisory on July 27:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004326.html

It fixes these and a few more issues.

Summary: mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-14362 => mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-1436[0-3]

Fedora has issued advisories for this on July 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ADQDKEL55ISBMHUFNGN76SC3IQWJC73M/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GAEYBSZPZ6PAWGFNHLCBPAKO6INA3JFQ/

openSUSE has issued an advisory for this today (August 6):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00027.html

mutt-1.10.1-1.mga7 uploaded for Cauldron by Jani.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Ubuntu has issued an updated advisory for this on September 28:
https://usn.ubuntu.com/3719-3/

I pushed mutt 1.10.1 for 6 in core/updates_testing

Target Milestone: --- => Mageia 6
CC: (none) => bruno
Status: NEW => ASSIGNED
Assignee: jani.valimaa => qa-bugs

Advisory:
========================

Updated mutt package fixes security vulnerabilities:

It was discovered that Mutt incorrectly handled certain requests. An attacker
could possibly use this to execute arbitrary code (CVE-2018-14350,
CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353
,CVE-2018-14357).

It was discovered that Mutt incorrectly handled certain inputs. An attacker
could possibly use this to access or expose sensitive information
(CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362,
CVE-2018-14349).

nntp_add_group in newsrc.c has a stack-based buffer overflow because of
incorrect sscanf usage (CVE-2018-14360).

nntp.c proceeds even if memory allocation fails for messages data (CVE-2018-14361).

newsrc.c does not properlyrestrict '/' characters that may have unsafe
interaction with cache pathnames (CVE-2018-14363).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14355
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14357
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14363
https://usn.ubuntu.com/3719-1/
https://lists.opensuse.org/opensuse-updates/2018-08/msg00027.html
========================

Updated packages in core/updates_testing:
========================
mutt-1.10.1-1.1.mga6
mutt-utf8-1.10.1-1.1.mga6
mutt-doc-1.10.1-1.1.mga6

from mutt-1.10.1-1.1.mga6.src.rpm

Target Milestone: Mageia 6 => ---

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 14707 Comment 1, but link is not valid anymore. Found this PoC at https://gitlab.com/muttmua/trac-tickets/tree/master/attachments/3716
At CLI
$ mutt -R -f crasher.mbox -e 'set weed=no'
crasher.mbox is geen postvak. (is not a mailbox)

Bug 14707 Comment 6 refers to a .muttrc file, but I cannot find this file. mutt seems to be way over me.

CC: (none) => herman.viaene

Similar results here.  Tried it a while ago (not the PoC).  Tried to write the .muttrc and start the application but it came back at me with "not a Mailbox mutthead" or words to that effect.

CC: (none) => tarazed25

Experimenting with .muttrc.
$ cat .muttrc
# About Me
set from = "lcl@difda"
set realname = "Len Lawrence"
# My credentials
set smtp_url = "localhost"
set smtp_pass = "password"
set imap_user = "tarazed25@gmail.com"
set imap_pass = "<whatever>"
# My mailboxes
set folder = "~/.mutt/Mail"
set spoolfile = "+INBOX"
# Where to put the stuff
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
# Etc
set mail_check = 30
set move = no
set imap_keepalive = 900
set sort = threads
set editor = "vim"
# GnuPG bootstrap
# source ~/.mutt/gpg.rc

$ cd .mutt/Mail
$ touch INBOX
$ mutt

This at least launched the application.  ? displayed help which can be paged using the space bar.  Created and sent a message to myself using m and the vi editor and finishing with Esc :wq in the usual fashion.  Some information appeared, an extract from the header.  Hit Return and the message appeared.

It is a start anyway.  Not quite sure what is what.  Off to check my Google mailbox to see if the message is there.  Nope - cannot see it in Sent or my Inbox.  Exited and saw the message "Mailbox is unchanged" so I guess mutt is not working for me.

Tried the PoC using Herman's command:
$ mutt -R -f crasher.mbox -e 'set weed=no'

mutt terminal appeared with a message with index number 1:
   1 N   Nov 26 jwilk@jwilk.net (   1)

Hitting return gives:
From jwilk@jwilk.net Wed Nov 26 18:01:22 2014
From:


Hello world!

Updated mutt from updates testing and tried the PoC again.
The result was the same as before.

Installed mutt-1.7.2-3 packages, ensured they are working to read mail from
/var/spool/mail/dave where I have several days of cron messages.

Installed the mutt-1.10.1-1.1 packages. and confirmed it's still working.

Advisory committed to svn.
Validating the update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0447.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED