Bug 33161

Summary: mutt new security issues CVE-2023-487[45]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: mutt-2.2.10-1.mga9.src.rpm CVE: CVE-2023-4874, CVE-2023-4875
Status comment:

Description Nicolas Salguero 2024-04-30 17:12:59 CEST 
RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971683/
Nicolas Salguero 2024-04-30 17:13:47 CEST

Status comment: (none) => Fixed upstream in 2.2.12 and patches available from upstream
Source RPM: (none) => mutt-2.2.10-1.mga9.src.rpm
CVE: (none) => CVE-2023-4874, CVE-2023-4875

Comment 1 Lewis Smith 2024-04-30 20:36:51 CEST 
Cauldron already has 2.2.12 & 2.2.13, so this is porting mutt to M9.
Assigning to Jani who seems to maintain this SRPM.

Assignee: bugsquad => jani.valimaa

Comment 2 Nicolas Salguero 2024-05-02 16:07:46 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12. (CVE-2023-4874)

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12. (CVE-2023-4875)

References:
https://lwn.net/Articles/971683/
========================

Updated packages in core/updates_testing:
========================
mutt-2.2.10-1.1.mga9
mutt-doc-2.2.10-1.1.mga9

from SRPM:
mutt-2.2.10-1.1.mga9.src.rpm

Status comment: Fixed upstream in 2.2.12 and patches available from upstream => (none)
Status: NEW => ASSIGNED
Assignee: jani.valimaa => qa-bugs

katnatek 2024-05-02 20:10:20 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-05-11 19:42:12 CEST 
This tool need of know-how that I not have, so I just test update from current version and uninstall

LC_ALL=C urpmi mutt mutt-doc


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/mutt-doc-2.2.10-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/mutt-2.2.10-1.mga9.x86_64.rpm                  
installing mutt-2.2.10-1.mga9.x86_64.rpm mutt-doc-2.2.10-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms                               
Preparing...                     ##################################################################################################
      1/2: mutt-doc              ##################################################################################################
      2/2: mutt                  ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing mutt-2.2.10-1.1.mga9.x86_64.rpm mutt-doc-2.2.10-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: mutt-doc              ##################################################################################################
      2/2: mutt                  ##################################################################################################
      1/2: removing mutt-1:2.2.10-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing mutt-doc-1:2.2.10-1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpme mutt mutt-doc
removing mutt-2.2.10-1.1.mga9.x86_64 mutt-doc-2.2.10-1.1.mga9.x86_64
removing package mutt-1:2.2.10-1.1.mga9.x86_64
      1/2: removing mutt-1:2.2.10-1.1.mga9.x86_64
                                 ##################################################################################################
removing package mutt-doc-1:2.2.10-1.1.mga9.x86_64
      2/2: removing mutt-doc-1:2.2.10-1.1.mga9.x86_64
                                 ##################################################################################################
katnatek 2024-05-11 19:42:50 CEST

CC: (none) => andrewsfarm

Comment 4 katnatek 2024-05-11 19:43:41 CEST 
Feel free to remove the OK and/or provide a meaningful test

Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-05-12 16:14:30 CEST 
This is very new to me, but there is a minimal test in bug 25909 comment 7 and bug 25909 comment 8. Trying it on my system:

$  ll /var/spool/mail
total 0
-rw-rw---- 1 tom mail 0 Dec 27 13:20 tom

Trying $ mutt -f /var/spool/mail/tom mutt tells me the folder doesn't exist, asking if I want to create it. I answered yes, and mutt opened. Using the "q" command to quit, I see this in the terminal:

Mailbox is unchanged.
$ 

It looks like that is OK, as far as it goes.
Comment 6 Thomas Andrews 2024-05-12 16:17:45 CEST 
Before validating, looking over the history of mutt updates, almost every time mutt needs a security patch, so does neomutt. Usually it's done in the same bug, but there have also been times when it was separated.

So, is neomutt affected this time? And if so, will we use this bug or a separate one?
Comment 7 katnatek 2024-05-12 20:11:35 CEST 
(In reply to Thomas Andrews from comment #6)
> Before validating, looking over the history of mutt updates, almost every
> time mutt needs a security patch, so does neomutt. Usually it's done in the
> same bug, but there have also been times when it was separated.
> 
> So, is neomutt affected this time? And if so, will we use this bug or a
> separate one?

neomutt is not affected if we trust in the available information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4874

Comparing with fixed cve https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32055 where neomutt is listed

So as your intention is validating, I do it for you

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Andrews 2024-05-13 01:28:09 CEST 
OK. Never hurts to check on these things.
Comment 9 Mageia Robot 2024-05-13 16:24:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0175.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED