138125 2006-06-26 17:01 0000 mail-client/mutt: IMAP Buffer Overflow (CVE-2006-3242) 2006-09-03 03:42:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/20810/ A2 [glsa] hlieberman P2 major --- 1 hlieberman@gentoo.org security@gentoo.org agriffis@gentoo.org ferdy@gentoo.org hlieberman@gentoo.org mips@gentoo.org hlieberman@gentoo.org 2006-06-26 17:01:06 0000 Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and possibly arbitrary code execution with the privs. of the user running mutt. Note that a user must visit a malicious IMAP server in order to be affected by this. Vulnerable in: =<1.4.2.1 Unaffected in: CVS hlieberman@gentoo.org 2006-06-26 17:08:41 0000 Fixed Severity -- Sorry 'bout that. hlieberman@gentoo.org 2006-06-26 17:19:14 0000 Though we appear to be out of the affected version range, Falco believes that we are still vulnerable. Herd, can you run a sanity check on this one? ferdy@gentoo.org 2006-06-27 03:23:41 0000 I patched imap/browse.c in our ebuild and added it as mutt-1.5.11-r2 - ferdy falco@gentoo.org 2006-06-27 03:52:07 0000 Thanks ferdy hi arches, please mark 1.5.11-r2 as stable, thank you birder@ozemail.com.au 2006-06-27 05:03:37 0000 Hi ferdy, Is there any reason why mutt isn't using autoconf-2.60? I can't install the new ebuild because it requires a downgrade autoconf to 2.59-r7, resulting in dependency ping-pong. (maildrop is another package still using 2.59.) Cheers, grobian@gentoo.org 2006-06-27 05:07:37 0000 Probably because otherwise ppc-macos cannot compile any more. I don't know if a >= is possible. birder@ozemail.com.au 2006-06-27 05:16:01 0000 (In reply to comment #6) > Probably because otherwise ppc-macos cannot compile any more. I don't know if > a >= is possible. Works for me (x86.) ferdy@gentoo.org 2006-06-27 06:27:24 0000 Because I forgot to remove that dependencies, sorry. Should work now. (worked for me in alpha and x86 at least). I just commit a new version of -r2 without explicit dependencies and without WANT_AUTOCONF. - ferdy exg@gentoo.org 2006-06-27 08:56:49 0000 ppc stable corsair@gentoo.org 2006-06-27 09:12:28 0000 stable on ppc64 grobian@gentoo.org 2006-06-27 10:03:24 0000 ppc-macos done. I also ported the patch to muttng and included the patch there. muttng-20060619-r1 has the patch included. wolf31o2@gentoo.org 2006-06-27 10:30:50 0000 x86 done... if we're supposed to do soemthing with muttng, add us back killerfox@gentoo.org 2006-06-27 11:53:37 0000 stable on hppa ferdy@gentoo.org 2006-06-27 12:03:56 0000 Alpha done. gustavoz@gentoo.org 2006-06-27 12:35:14 0000 sparc stable. metalgod@gentoo.org 2006-06-27 19:41:56 0000 amd64 stable falco@gentoo.org 2006-06-28 03:06:51 0000 This was fast, thanks. Let's go for the GLSA jaervosz@gentoo.org 2006-06-28 11:49:17 0000 Updated CVE info. hlieberman@gentoo.org 2006-06-28 13:38:42 0000 GLSA 200606-27 committed. Good job everyone. http://www.gentoo.org/security/en/glsa/glsa-200606-27.xml hlieberman@gentoo.org 2006-06-28 13:39:29 0000 &nsbp; jaervosz@gentoo.org 2006-06-28 21:55:05 0000 Harlan please don't close security bugs:-) Mail is finally out on announce. GLSA 200606-27 mips, ia64 don't forget to mark stable to benifit from the GLSA.