Bugzilla Bug 138125

Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and
possibly arbitrary code execution with the privs. of the user running mutt. 
Note that a user must visit a malicious IMAP server in order to be affected by
this. 

Vulnerable in: =<1.4.2.1
Unaffected in: CVS

Fixed Severity -- Sorry 'bout that.

Though we appear to be out of the affected version range, Falco believes that
we are still vulnerable. 

Herd, can you run a sanity check on this one?

I patched imap/browse.c in our ebuild and added it as mutt-1.5.11-r2

- ferdy

Thanks ferdy

hi arches, please mark 1.5.11-r2 as stable, thank you

Hi ferdy,

Is there any reason why mutt isn't using autoconf-2.60?  I can't install the
new ebuild because it requires a downgrade autoconf to 2.59-r7, resulting in
dependency ping-pong.  (maildrop is another package still using 2.59.)

Cheers,

Probably because otherwise ppc-macos cannot compile any more.  I don't know if
a >= is possible.

(In reply to comment #6)
> Probably because otherwise ppc-macos cannot compile any more.  I don't know if
> a >= is possible.

Works for me (x86.)

Because I forgot to remove that dependencies, sorry. Should work now. (worked
for me in alpha and x86 at least).

I just commit a new version of -r2 without explicit dependencies and without
WANT_AUTOCONF.

- ferdy

ppc stable

stable on ppc64

ppc-macos done.  I also ported the patch to muttng and included the patch
there.  muttng-20060619-r1 has the patch included.

x86 done... if we're supposed to do soemthing with muttng, add us back

stable on hppa

Alpha done.

sparc stable.

amd64 stable

This was fast, thanks.

Let's go for the GLSA

Updated CVE info.

GLSA 200606-27 committed. Good job everyone.

http://www.gentoo.org/security/en/glsa/glsa-200606-27.xml

&nsbp;

Harlan please don't close security bugs:-)

Mail is finally out on announce.

GLSA 200606-27

mips, ia64 don't forget to mark stable to benifit from the GLSA.