Bug 28159

Summary: mutt new denial of service security issue (CVE-2021-3181)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=28296
Whiteboard: MGA7-64-OK
Source RPM: mutt-1.11.4-1.4.mga7.src.rpm CVE: CVE-2021-3181
Status comment:
Bug Depends on:    
Bug Blocks: 28296    

Description David Walser 2021-01-18 17:05:31 CET 
A denial of service issue due to memory leak has been fixed upstream in mutt:
https://www.openwall.com/lists/oss-security/2021/01/17/2

The commit that fixed the issue is linked from the message above.

Mageia 7 may also be affected (and maybe neomutt?).
Comment 1 Nicolas Lécureuil 2021-01-19 09:40:00 CET 
fixed on mga8.

Valid on mga7

src: 
    mutt-1.11.4-1.5.mga7

CC: (none) => mageia
Assignee: jani.valimaa => qa-bugs
Version: Cauldron => 7

Comment 2 David Walser 2021-01-19 14:48:25 CET 
Nicolas, did you check neomutt?  (also, the package is unmaintained for mga7)

As for mutt:
mutt-1.11.4-1.5.mga7
mutt-doc-1.11.4-1.5.mga7

from mutt-1.11.4-1.5.mga7.src.rpm
Comment 3 David Walser 2021-01-20 14:34:55 CET 
CVE-2021-3181 has been assigned for this:
https://www.openwall.com/lists/oss-security/2021/01/19/10

Summary: mutt new denial of service security issue => mutt new denial of service security issue (CVE-2021-3181)

Comment 4 David Walser 2021-01-21 16:44:30 CET 
Debian-LTS has issued an advisory for this today (January 21):
https://www.debian.org/lts/security/2021/dla-2529
Comment 5 David Walser 2021-01-26 05:40:02 CET 
Ubuntu has issued an advisory for this today (January 25):
https://ubuntu.com/security/notices/USN-4703-1

Status comment: (none) => mutt patched, need to check if neomutt is affected
Severity: normal => major

Aurelien Oudelet 2021-02-04 18:56:58 CET

CVE: (none) => CVE-2021-3181
Source RPM: mutt-2.0.4-1.mga8.src.rpm => mutt-1.11.4-1.4.mga7.src.rpm
CC: (none) => ouaurelien

Comment 6 Aurelien Oudelet 2021-02-05 10:28:29 CET 
MGA7 64 Plasma + Postfix mail server to serve root mail.

No installation issues with QA Repo
Look previous BR, and see the advice from Mike in bug 25909 and run
# mutt -f /var/spool/mail/root
13 kept, 0 deleted.
See all MSEC reports.

Looks OK for me.

Validating.
Advisory pushed to SVN.

Not sure: Neomutt is not patched? (not in updates_testing).

Keywords: (none) => advisory
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-02-05 10:30:14 CET

Blocks: (none) => 28296

Aurelien Oudelet 2021-02-05 10:31:37 CET

Keywords: (none) => validated_update
Status comment: mutt patched, need to check if neomutt is affected => (none)
CC: (none) => sysadmin-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28296

Comment 7 Mageia Robot 2021-02-05 12:56:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0070.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED