Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728708 (CVE-2020-14954) - <mail-client/mutt-1.14.4: MITM in STARTTLS for IMAP/POP3/SMTP (CVE-2020-14954)
Summary: <mail-client/mutt-1.14.4: MITM in STARTTLS for IMAP/POP3/SMTP (CVE-2020-14954)
Status: RESOLVED FIXED
Alias: CVE-2020-14954
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.mutt.org/pipermail/mutt-...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks: 728294
  Show dependency tree
 
Reported: 2020-06-19 01:17 UTC by Sam James
Modified: 2020-07-28 19:43 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/mutt-1.14.4-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-19 01:17:49 UTC
Description:
"This is an important security release fixing a possible machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP.  (For packagers, I've requested a CVE and will update the website when I have the number)."
Comment 1 Sam James gentoo-dev Security 2020-06-19 01:18:04 UTC
CVE pending.

@maintainer(s), please bump to 1.14.4.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-19 07:01:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=853490aded8a597f03bdd24b6f56cfffbfeecb97

commit 853490aded8a597f03bdd24b6f56cfffbfeecb97
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-06-19 07:00:59 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-06-19 07:00:59 +0000

    mail-client/mutt-1.14.4: another security bump
    
    Bug: https://bugs.gentoo.org/728708
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest           |   2 +
 mail-client/mutt/mutt-1.14.4.ebuild | 270 ++++++++++++++++++++++++++++++++++++
 2 files changed, 272 insertions(+)
Comment 3 Sam James gentoo-dev Security 2020-06-19 11:55:26 UTC
We alright to stable it now given this is all that changed?

Hopefully this is the last one for a bit..
Comment 4 Fabian Groffen gentoo-dev 2020-06-19 12:39:49 UTC
yup, please cancel the 1.14.3 one, and focus on this one.
Comment 5 Sam James gentoo-dev Security 2020-06-19 12:44:01 UTC
(In reply to Fabian Groffen from comment #4)
> yup, please cancel the 1.14.3 one, and focus on this one.

Thanks! Done
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-06-20 13:50:51 UTC
x86 stable
Comment 7 Rolf Eike Beer 2020-06-20 19:18:32 UTC
sparc stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-06-20 22:39:39 UTC
Hold stabilization.

@ maintainer: A regression was reported, see http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20200615/001738.html.

Just copy mutt-1.14.4 ebuild to new revision and *continue* stabilization afterwards. No need to restart for sparc/x86.
Comment 9 NATTkA bot gentoo-dev 2020-06-20 22:40:43 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 10 Larry the Git Cow gentoo-dev 2020-06-21 07:47:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a760a283613c47ac37b31c6394f89a431e823ca8

commit a760a283613c47ac37b31c6394f89a431e823ca8
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-06-21 07:44:41 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-06-21 07:44:41 +0000

    mail-client/mutt-1.14.4-r1: yet another security bump
    
    Bug: https://bugs.gentoo.org/728708
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                          |  2 --
 .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch  | 30 ++++++++++++++++++++++
 .../{mutt-1.14.2.ebuild => mutt-1.14.4-r1.ebuild}  |  3 +++
 3 files changed, 33 insertions(+), 2 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2020-06-21 07:48:34 UTC
Unable to check for sanity:

> no match for package: =mail-client/mutt-1.14.4
Comment 12 NATTkA bot gentoo-dev 2020-06-21 07:52:30 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 13 John Helmert III (ajak) 2020-06-21 19:55:21 UTC
Assigned CVE-2020-14954.
Comment 14 Agostino Sarubbo gentoo-dev 2020-06-22 07:00:22 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:00 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:40 UTC
ppc64 stable
Comment 17 Rolf Eike Beer 2020-06-22 18:36:31 UTC
hppa stable
Comment 18 Agostino Sarubbo gentoo-dev 2020-06-25 07:02:27 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 19 Larry the Git Cow gentoo-dev 2020-06-25 09:08:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbaf7905f650a704ee884cb247d0d43b06b540a

commit 6cbaf7905f650a704ee884cb247d0d43b06b540a
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-06-25 09:08:13 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-06-25 09:08:13 +0000

    mail-client/mutt: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/728708
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest           |   4 -
 mail-client/mutt/mutt-1.13.5.ebuild | 268 -----------------------------------
 mail-client/mutt/mutt-1.14.3.ebuild | 270 ------------------------------------
 3 files changed, 542 deletions(-)
Comment 20 Sam James gentoo-dev Security 2020-06-25 11:54:14 UTC
Thanks!
Comment 21 Sam James gentoo-dev Security 2020-07-26 15:29:06 UTC
GLSA vote: yes
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:25 UTC
This issue was resolved and addressed in
 GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57
by GLSA coordinator Sam James (sam_c).