Bug 30292

Summary: mutt/neomutt new security issues CVE-2021-32055 and CVE-2022-1328
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, herman.viaene, jani.valimaa, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/muttmua/mutt/-/issues/404
Whiteboard: MGA8-64-OK
Source RPM: mutt-2.0.5-1.mga8, neomutt-20210205-1.mga8 CVE: CVE-2022-1328
Status comment:

Description David Walser 2022-04-15 20:18:21 CEST 
Mutt 2.2.3 has been announced on April 12, fixing a security issue:
https://marc.info/?l=mutt-users&m=164979464612885&w=2

Mageia 8 is also affected.
David Walser 2022-04-15 20:18:31 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.2.3

Comment 1 Jani Välimaa 2022-04-17 17:12:37 CEST 
Fixed in cauldron with mutt-2.2.3-1.mga9.

Whiteboard: MGA8TOO => (none)
Source RPM: mutt-2.2.2-1.mga9.src.rpm => mutt-2.0.5-1.mga8
Version: Cauldron => 8
URL: (none) => https://gitlab.com/muttmua/mutt/-/issues/404

Comment 2 Jani Välimaa 2022-04-17 17:14:52 CEST 
Please test mutt-2.0.5-1.1.mga8 from core/updates_testing.

It includes the fix from upstream:
https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 3 David Walser 2022-04-17 17:56:59 CEST 
mutt-2.0.5-1.1.mga8
mutt-doc-2.0.5-1.1.mga8

from mutt-2.0.5-1.1.mga8.src.rpm

Status comment: Fixed upstream in 2.2.3 => (none)

Comment 4 Stig-Ørjan Smelror 2022-04-17 21:41:25 CEST 
neomutt-doc-20220415-1.mga8
neomutt-20220415-1.mga8

from neomutt-20220415-1.mga8.src.rpm

CVE: (none) => CVE-2022-1328
Summary: mutt new security issue CVE-2022-1328 => mutt/neomutt new security issue CVE-2022-1328
CC: (none) => smelror
Source RPM: mutt-2.0.5-1.mga8 => mutt-2.0.5-1.mga8, neomutt-20210205-1.mga8

Comment 5 David Walser 2022-04-26 17:17:56 CEST 
openSUSE has issued an advisory for this on April 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DR7ZSOKFQZ5EIKQHLZ37AMGVPDGDIJ5W/
Comment 6 Herman Viaene 2022-04-30 16:13:54 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Test as bug 28159 Comment 5
(this is a new user on the system!!!
$ mutt -f /var/spool/mail/tester8
Mailbox is unchanged.

Tried again to do a real mail after configuring .muttrc (my regular account is a pop accunt, no authentication at smtp, but I keep running into problems as in bug 25909
$ echo "" | mutt -s "testmutt" -i body.txt  herman.viaene@hotmail.be
TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384)
SASL authentication failed
Could not send the message.

Googled a lot but found no solution , bug 28159 was OK'ed with the first test????

CC: (none) => herman.viaene

Comment 7 David Walser 2022-05-02 19:35:23 CEST 
Ubuntu has issued an advisory on April 28:
https://ubuntu.com/security/notices/USN-5392-1

Another issue was fixed upstream in mutt 2.0.7.  I'm not sure about neomutt.

Assignee: qa-bugs => jani.valimaa
Summary: mutt/neomutt new security issue CVE-2022-1328 => mutt/neomutt new security issues CVE-2021-32055 and CVE-2022-1328
Status comment: (none) => Fixed upstream in 2.0.7

Comment 8 David Walser 2022-06-10 17:25:19 CEST 
Fedora has issued an advisory for this today (June 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35CD7NH4NFPF5OEG2PHI3CZ3UOK3ICXR/
Comment 9 David Walser 2022-06-21 23:23:57 CEST 
openSUSE has issued an advisory for neomutt today (June 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAIJ2AOB7KV4ZEDS2ZHBBCKGSPYKSKDI/
Comment 10 Bruno Cornec 2023-07-02 21:41:49 CEST 
mutt 2.0.7 pushed to mga8 updates_testing.

CC: (none) => bruno
Assignee: jani.valimaa => qa-bugs
Status: NEW => ASSIGNED

Comment 11 David Walser 2023-07-02 22:14:11 CEST 
Thanks.  We most likely need neomutt updated again as well.

Assignee: qa-bugs => pkg-bugs
Status comment: Fixed upstream in 2.0.7 => (none)

Comment 12 Bruno Cornec 2023-07-03 00:36:27 CEST 
neomutt 2023-05-17 pushed as well.
Bruno Cornec 2023-07-03 00:37:21 CEST

Assignee: pkg-bugs => qa-bugs

Comment 13 David Walser 2023-07-03 00:58:58 CEST 
mutt-2.0.7-1.1.mga8
mutt-doc-2.0.7-1.1.mga8
neomutt-doc-20230517-1.mga8
neomutt-20230517-1.mga8

from SRPMS:
mutt-2.0.7-1.1.mga8.src.rpm
neomutt-20230517-1.mga8.src.rpm
Comment 14 Herman Viaene 2023-07-03 15:06:09 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried to follow procedure from bug 25909, but keep getting problems with authentication
$ echo "" | mutt -s "testmutt" -i body.txt  herman.viaene@hotmail.be
TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384)
No authenticators available
Could not send the message.
My muttrc reads
# About Me
set from = "hviaene@gmail.com"
set realname = "Ikke Thuis"
# My credentials
set smtp_url = "smtp://hviaene@gmail.com@smtp.gmail.com:587/"
set smtp_pass = "<passwd>"
set imap_user = "hviaene@gmail.com"
set imap_pass = "<passwd"
set smtp_authenticators="sasl" 
set ssl_starttls = yes 
set ssl_force_tls = yes
# My mailboxes
set folder = "imaps://imap.gmail.com:993"
set spoolfile = "+INBOX"
# Where to put the stuff
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
# Etc
set mail_check = 30
set move = no
set imap_keepalive = 900
set sort = threads
set editor = "vim"
# GnuPG bootstrap
# source ~/.mutt/gpg.rc
Comment 15 Bruno Cornec 2023-07-03 15:59:51 CEST 
(In reply to Herman Viaene from comment #14)
> $ echo "" | mutt -s "testmutt" -i body.txt  herman.viaene@hotmail.be
> TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384)
> No authenticators available
> Could not send the message.

Humm, I don't use TLS, but have my own SMTP postfix server and since
yesterday I have used mutt 2.0.7 to send and receive messages without issue,
so I think this is linked more to your setup rather than the tool itself
:-(

> My muttrc reads
> # About Me
> set from = "hviaene@gmail.com"
> set realname = "Ikke Thuis"
> # My credentials
> set smtp_url = "smtp://hviaene@gmail.com@smtp.gmail.com:587/"
> set smtp_pass = "<passwd>"
> set imap_user = "hviaene@gmail.com"
> set imap_pass = "<passwd"
> set smtp_authenticators="sasl" 
> set ssl_starttls = yes 
> set ssl_force_tls = yes

Seems linked to the sasl usage as smtp_authenticators.

From the doc:
The built-in SMTP support supports encryption (the smtps protocol using SSL or TLS) as well as SMTP authentication using SASL. The authentication mechanisms for SASL are specified in $smtp_authenticators defaulting to an
empty list which makes Mutt try all available methods from most-secure to least-secure.

So what happens if you comment it ?

Also:
3.353. smtp_authenticators

Type: string
Default: (empty)

This is a colon-delimited list of authentication methods mutt may attempt to use to log in to an SMTP server, in the order mutt should try them. Authentication methods are any SASL mechanism, e.g. “digest-md5”, “gssapi”
or “cram-md5”. This option is case-insensitive. If it is “unset” (the default) mutt will try all available methods, in order from most-secure to least-secure.

Example:

set smtp_authenticators="digest-md5:cram-md5"
Comment 16 Herman Viaene 2023-07-08 14:59:40 CEST 
Any of the suggestions above resolves the authentication problem. But I agree to send it off based on Bruno's test. I'm not confident in my own knowledge of mutt.

Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2023-07-10 14:15:31 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-13 19:46:55 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 18 Mageia Robot 2023-07-19 21:54:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0232.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED