RedHat has issued an advisory on April 30: https://lwn.net/Articles/971683/
Status comment: (none) => Fixed upstream in 2.2.12 and patches available from upstreamSource RPM: (none) => mutt-2.2.10-1.mga9.src.rpmCVE: (none) => CVE-2023-4874, CVE-2023-4875
Cauldron already has 2.2.12 & 2.2.13, so this is porting mutt to M9. Assigning to Jani who seems to maintain this SRPM.
Assignee: bugsquad => jani.valimaa
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12. (CVE-2023-4874) Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12. (CVE-2023-4875) References: https://lwn.net/Articles/971683/ ======================== Updated packages in core/updates_testing: ======================== mutt-2.2.10-1.1.mga9 mutt-doc-2.2.10-1.1.mga9 from SRPM: mutt-2.2.10-1.1.mga9.src.rpm
Status comment: Fixed upstream in 2.2.12 and patches available from upstream => (none)Status: NEW => ASSIGNEDAssignee: jani.valimaa => qa-bugs
Keywords: (none) => advisory
This tool need of know-how that I not have, so I just test update from current version and uninstall LC_ALL=C urpmi mutt mutt-doc https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/mutt-doc-2.2.10-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/mutt-2.2.10-1.mga9.x86_64.rpm installing mutt-2.2.10-1.mga9.x86_64.rpm mutt-doc-2.2.10-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################################## 1/2: mutt-doc ################################################################################################## 2/2: mutt ################################################################################################## LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing mutt-2.2.10-1.1.mga9.x86_64.rpm mutt-doc-2.2.10-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: mutt-doc ################################################################################################## 2/2: mutt ################################################################################################## 1/2: removing mutt-1:2.2.10-1.mga9.x86_64 ################################################################################################## 2/2: removing mutt-doc-1:2.2.10-1.mga9.x86_64 ################################################################################################## LC_ALL=C urpme mutt mutt-doc removing mutt-2.2.10-1.1.mga9.x86_64 mutt-doc-2.2.10-1.1.mga9.x86_64 removing package mutt-1:2.2.10-1.1.mga9.x86_64 1/2: removing mutt-1:2.2.10-1.1.mga9.x86_64 ################################################################################################## removing package mutt-doc-1:2.2.10-1.1.mga9.x86_64 2/2: removing mutt-doc-1:2.2.10-1.1.mga9.x86_64 ##################################################################################################
CC: (none) => andrewsfarm
Feel free to remove the OK and/or provide a meaningful test
Whiteboard: (none) => MGA9-64-OK
This is very new to me, but there is a minimal test in bug 25909 comment 7 and bug 25909 comment 8. Trying it on my system: $ ll /var/spool/mail total 0 -rw-rw---- 1 tom mail 0 Dec 27 13:20 tom Trying $ mutt -f /var/spool/mail/tom mutt tells me the folder doesn't exist, asking if I want to create it. I answered yes, and mutt opened. Using the "q" command to quit, I see this in the terminal: Mailbox is unchanged. $ It looks like that is OK, as far as it goes.
Before validating, looking over the history of mutt updates, almost every time mutt needs a security patch, so does neomutt. Usually it's done in the same bug, but there have also been times when it was separated. So, is neomutt affected this time? And if so, will we use this bug or a separate one?
(In reply to Thomas Andrews from comment #6) > Before validating, looking over the history of mutt updates, almost every > time mutt needs a security patch, so does neomutt. Usually it's done in the > same bug, but there have also been times when it was separated. > > So, is neomutt affected this time? And if so, will we use this bug or a > separate one? neomutt is not affected if we trust in the available information https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4875 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4874 Comparing with fixed cve https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32055 where neomutt is listed So as your intention is validating, I do it for you
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
OK. Never hurts to check on these things.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0175.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED