Bug 23345 - mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-1436[0-3]
Summary: mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-1436[0-3]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-24 18:24 CEST by David Walser
Modified: 2018-11-15 23:05 CET (History)
5 users (show)

See Also:
Source RPM: mutt-1.10.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-24 18:24:17 CEST
Ubuntu has issued an advisory on July 23:
https://usn.ubuntu.com/3719-1/

The issues are fixed upstream in 1.10.1.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-24 18:24:33 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-08-02 17:34:01 CEST
SUSE has issued an advisory on July 27:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004326.html

It fixes these and a few more issues.

Summary: mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-14362 => mutt new security issues CVE-2018-14349, CVE-2018-1435[0-9], CVE-2018-1436[0-3]

Comment 3 David Walser 2018-08-06 22:01:18 CEST
openSUSE has issued an advisory for this today (August 6):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00027.html
Comment 4 David Walser 2018-08-10 00:21:45 CEST
mutt-1.10.1-1.mga7 uploaded for Cauldron by Jani.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 David Walser 2018-10-10 00:39:19 CEST
Ubuntu has issued an updated advisory for this on September 28:
https://usn.ubuntu.com/3719-3/
Comment 6 Bruno Cornec 2018-10-11 01:54:17 CEST
I pushed mutt 1.10.1 for 6 in core/updates_testing

Assignee: jani.valimaa => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => bruno
Target Milestone: --- => Mageia 6

Comment 7 David Walser 2018-10-12 01:14:13 CEST
Advisory:
========================

Updated mutt package fixes security vulnerabilities:

It was discovered that Mutt incorrectly handled certain requests. An attacker
could possibly use this to execute arbitrary code (CVE-2018-14350,
CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353
,CVE-2018-14357).

It was discovered that Mutt incorrectly handled certain inputs. An attacker
could possibly use this to access or expose sensitive information
(CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362,
CVE-2018-14349).

nntp_add_group in newsrc.c has a stack-based buffer overflow because of
incorrect sscanf usage (CVE-2018-14360).

nntp.c proceeds even if memory allocation fails for messages data (CVE-2018-14361).

newsrc.c does not properlyrestrict '/' characters that may have unsafe
interaction with cache pathnames (CVE-2018-14363).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14355
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14357
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14363
https://usn.ubuntu.com/3719-1/
https://lists.opensuse.org/opensuse-updates/2018-08/msg00027.html
========================

Updated packages in core/updates_testing:
========================
mutt-1.10.1-1.1.mga6
mutt-utf8-1.10.1-1.1.mga6
mutt-doc-1.10.1-1.1.mga6

from mutt-1.10.1-1.1.mga6.src.rpm

Target Milestone: Mageia 6 => ---

Comment 8 Herman Viaene 2018-10-30 14:05:16 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 14707 Comment 1, but link is not valid anymore. Found this PoC at https://gitlab.com/muttmua/trac-tickets/tree/master/attachments/3716
At CLI
$ mutt -R -f crasher.mbox -e 'set weed=no'
crasher.mbox is geen postvak. (is not a mailbox)

Bug 14707 Comment 6 refers to a .muttrc file, but I cannot find this file. mutt seems to be way over me.

CC: (none) => herman.viaene

Comment 9 Len Lawrence 2018-10-30 14:48:06 CET
Similar results here.  Tried it a while ago (not the PoC).  Tried to write the .muttrc and start the application but it came back at me with "not a Mailbox mutthead" or words to that effect.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2018-11-15 20:18:08 CET
Experimenting with .muttrc.
$ cat .muttrc
# About Me
set from = "lcl@difda"
set realname = "Len Lawrence"
# My credentials
set smtp_url = "localhost"
set smtp_pass = "password"
set imap_user = "tarazed25@gmail.com"
set imap_pass = "<whatever>"
# My mailboxes
set folder = "~/.mutt/Mail"
set spoolfile = "+INBOX"
# Where to put the stuff
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
# Etc
set mail_check = 30
set move = no
set imap_keepalive = 900
set sort = threads
set editor = "vim"
# GnuPG bootstrap
# source ~/.mutt/gpg.rc

$ cd .mutt/Mail
$ touch INBOX
$ mutt

This at least launched the application.  ? displayed help which can be paged using the space bar.  Created and sent a message to myself using m and the vi editor and finishing with Esc :wq in the usual fashion.  Some information appeared, an extract from the header.  Hit Return and the message appeared.

It is a start anyway.  Not quite sure what is what.  Off to check my Google mailbox to see if the message is there.  Nope - cannot see it in Sent or my Inbox.  Exited and saw the message "Mailbox is unchanged" so I guess mutt is not working for me.

Tried the PoC using Herman's command:
$ mutt -R -f crasher.mbox -e 'set weed=no'

mutt terminal appeared with a message with index number 1:
   1 N   Nov 26 jwilk@jwilk.net (   1)

Hitting return gives:
From jwilk@jwilk.net Wed Nov 26 18:01:22 2014
From:


Hello world!

Updated mutt from updates testing and tried the PoC again.
The result was the same as before.
Comment 11 Dave Hodgins 2018-11-15 22:17:22 CET
Installed mutt-1.7.2-3 packages, ensured they are working to read mail from
/var/spool/mail/dave where I have several days of cron messages.

Installed the mutt-1.10.1-1.1 packages. and confirmed it's still working.

Advisory committed to svn.
Validating the update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2018-11-15 23:05:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0447.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.