Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and possibly arbitrary code execution with the privs. of the user running mutt. Note that a user must visit a malicious IMAP server in order to be affected by this. Vulnerable in: =<1.4.2.1 Unaffected in: CVS
Fixed Severity -- Sorry 'bout that.
Though we appear to be out of the affected version range, Falco believes that we are still vulnerable. Herd, can you run a sanity check on this one?
I patched imap/browse.c in our ebuild and added it as mutt-1.5.11-r2 - ferdy
Thanks ferdy hi arches, please mark 1.5.11-r2 as stable, thank you
Hi ferdy, Is there any reason why mutt isn't using autoconf-2.60? I can't install the new ebuild because it requires a downgrade autoconf to 2.59-r7, resulting in dependency ping-pong. (maildrop is another package still using 2.59.) Cheers,
Probably because otherwise ppc-macos cannot compile any more. I don't know if a >= is possible.
(In reply to comment #6) > Probably because otherwise ppc-macos cannot compile any more. I don't know if > a >= is possible. Works for me (x86.)
Because I forgot to remove that dependencies, sorry. Should work now. (worked for me in alpha and x86 at least). I just commit a new version of -r2 without explicit dependencies and without WANT_AUTOCONF. - ferdy
ppc stable
stable on ppc64
ppc-macos done. I also ported the patch to muttng and included the patch there. muttng-20060619-r1 has the patch included.
x86 done... if we're supposed to do soemthing with muttng, add us back
stable on hppa
Alpha done.
sparc stable.
amd64 stable
This was fast, thanks. Let's go for the GLSA
Updated CVE info.
GLSA 200606-27 committed. Good job everyone. http://www.gentoo.org/security/en/glsa/glsa-200606-27.xml
&nsbp;
Harlan please don't close security bugs:-) Mail is finally out on announce. GLSA 200606-27 mips, ia64 don't forget to mark stable to benifit from the GLSA.
