Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728302 - <mail-client/neomutt-20200619: Multiple vulnerabilities
Summary: <mail-client/neomutt-20200619: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords: CC-ARCHES
Depends on: 728980
Blocks: CVE-2020-14093, CVE-2020-14154
  Show dependency tree
 
Reported: 2020-06-14 22:59 UTC by Sam James
Modified: 2020-07-29 00:23 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/neomutt-20200626 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-14 22:59:50 UTC
Vulnerable to the same issues as mail-client/mutt (see tracker).

From ajak (thanks!):
<ajak> lead neomutt dev: [22:52] < flatcap> ajak: yes, neomutt is still very similar to mutt and is affected
Comment 1 Sam James gentoo-dev Security 2020-06-14 23:01:30 UTC
[00:01:34]  <ajak> oh, flatcap also said neomutt release due friday
Comment 2 John Helmert III (ajak) 2020-06-19 18:48:07 UTC
From the 20200619 changelog:

Prevent possible IMAP MITM via PREAUTH response

Looks like we're good on the second Mutt issue on Neomutt with this release. Maintainer(s), please bump.
Comment 3 Sam James gentoo-dev Security 2020-06-19 20:16:48 UTC
Acked on IRC
Comment 4 John Helmert III (ajak) 2020-06-26 17:59:42 UTC
Release 20200626 is probably a better candidate for stabilization when it gets an ebuild due to runtime breakage:

https://github.com/neomutt/neomutt/issues/2382
Comment 5 Nicolas Bock gentoo-dev 2020-06-29 13:19:02 UTC
I pushed 2020-06-26 to tree.
Comment 6 Sam James gentoo-dev Security 2020-07-26 15:31:37 UTC
GLSA vote: yes
Comment 7 Sam James gentoo-dev Security 2020-07-27 21:15:29 UTC
amd64 stable
Comment 8 Sam James gentoo-dev Security 2020-07-27 22:25:59 UTC
x86 stable. Please cleanup.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:11 UTC
This issue was resolved and addressed in
 GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57
by GLSA coordinator Sam James (sam_c).
Comment 10 Sam James gentoo-dev Security 2020-07-28 19:45:09 UTC
Reopening for cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2020-07-29 00:20:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68fc4385c792dd15b53c29355943fd94e1ef801f

commit 68fc4385c792dd15b53c29355943fd94e1ef801f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:39 +0000

    mail-client/neomutt: security cleanup
    
    Bug: https://bugs.gentoo.org/728302
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-client/neomutt/Manifest                |   3 -
 mail-client/neomutt/metadata.xml            |   4 -
 mail-client/neomutt/neomutt-20180716.ebuild | 130 ----------------------------
 mail-client/neomutt/neomutt-20200501.ebuild | 128 ---------------------------
 mail-client/neomutt/neomutt-20200619.ebuild | 128 ---------------------------
 5 files changed, 393 deletions(-)