Bug 25909 - mutt new security issue rhbz#1710397
Summary: mutt new security issue rhbz#1710397
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-12-19 23:34 CET by David Walser
Modified: 2020-02-18 15:07 CET (History)
6 users (show)

See Also:
Source RPM: mutt-1.11.4-1.mga7.src.rpm
Status comment: Fixed upstream in 1.12.0


Description David Walser 2019-12-19 23:34:13 CET
Fedora has issued an advisory on June 19:

The issue is fixed upstream in 1.12.0.
Comment 1 Lewis Smith 2019-12-20 20:42:05 CET
Assigning to wally as both registered and actual maintainer.

Assignee: bugsquad => jani.valimaa

David Walser 2020-01-14 17:41:05 CET

Status comment: (none) => Fixed upstream in 1.12.0

Jani Välimaa 2020-01-14 18:27:23 CET

See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1710397

Comment 2 Jani Välimaa 2020-01-14 18:34:57 CET
Added an upstream patch [1] to fix the issue. Please test mutt-1.11.4-1.1.mga7 from core/updates_testing.

[1] https://gitlab.com/muttmua/mutt/commit/3b6f6b829718ec8a7cf3eb6997d86e83e6c38567

See Also: (none) => http://bugs.debian.org/929017
Assignee: jani.valimaa => qa-bugs

Comment 3 Jani Välimaa 2020-01-14 18:36:19 CET


CC: (none) => jani.valimaa

Comment 4 David Walser 2020-01-14 18:40:40 CET

Updated mutt packages fix security vulnerability:

Invalid format of RFC parameter passed to atoi() function in rfc2231.c could
lead to unexpected behavior (rhbz#1710397, bdo#929017).

Comment 5 Herman Viaene 2020-01-16 11:14:17 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Found some info on the use of mutt at https://www.thegeekdiary.com/how-to-install-and-configure-mutt-in-centos-rhel/
Tried to use mutt to send an e-mail from my hotmail account to my gmail account, but got into trouble defining the smtp parameters
MS seems to do something strange for "direct mail"
Swapped around, sending from gmail to hotmail gets me a bt further but still I run into a problem I cannot solve right now:
$ echo "" | mutt -s "testmutt" -i body.txt  herman.viaene@hotmail.be
Verbinding met smtp.gmail.com beëindigd (Connection closed)
SMTP-sessie is mislukt: leesfout (smptp session failed: read error)
Bericht kon niet verstuurd worden. (message could not be sent)
The file body.txt used in the command just contains one line of plain text.

CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2020-02-13 21:46:57 CET
Sending this on the basis of a clean install.

Validating. Advisory in Comment 4.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mike Rambo 2020-02-14 14:19:34 CET
In case you're interested... one way you can do some amount of testing with mutt is to open any mailbox (look in /var/spool/mail) on your system that has something in it. Mine has...

$ ll /var/spool/mail
total 2128
-rw------- 1 apache  mail    2304 Nov  2  2016 apache
-rw------- 1 mrambo  mail    1459 May 17  2019 mrambo
-rw------- 1 postfix mail 2164679 Feb 14 04:02 postfix

All three of those boxes contain something (the size will be 0 if it does not). You can read them with mutt.

sudo mutt -f /var/spool/mail postfix

You won't need sudo or have to become root if you own the mailbox you're opening. Once mutt opens you should be able to manipulate the mails in about any way short of replying to them since you probably won't have smtp set up yet. Anyway, this will at least enable you to see mutt do something with some mail.

CC: (none) => mrambo

Comment 8 Mike Rambo 2020-02-14 14:20:39 CET
Opps - that should be sudo mutt -f /var/spool/mail/postfix
Thomas Backlund 2020-02-18 13:48:29 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-02-18 15:07:27 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.