Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755866 - <mail-client/mutt-2.0.2: May not detect failed handshake (CVE-2020-28896)
Summary: <mail-client/mutt-2.0.2: May not detect failed handshake (CVE-2020-28896)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.mutt.org/pipermail/mutt-...
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2020-28896
  Show dependency tree
 
Reported: 2020-11-20 18:43 UTC by Sam James
Modified: 2021-01-26 23:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-20 18:43:30 UTC
"Hello Mutt Users,

I've just released version 2.0.2.  Instructions for downloading are available at <http://www.mutt.org/download.html>, or the tarball can be directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take the time to verify the signature file against my public key.

This is an important bug fix release, addressing CVE-2020-28896.  Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS.

Thanks to Gabriel Salles-Loustau for discovering the problem, and including detailed information and a reproducing example in his report!

Also thanks to Richard Russon for coordinating the release with Mutt.

-Kevin"
Comment 1 Sam James archtester gentoo-dev Security 2020-11-20 18:43:46 UTC
Please bump to 2.0.2. Thanks!
Comment 2 Larry the Git Cow gentoo-dev 2020-11-20 18:59:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a444dde143f9c29e5331888ddc10d0139827666f

commit a444dde143f9c29e5331888ddc10d0139827666f
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-11-20 18:59:24 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-11-20 18:59:24 +0000

    mail-client/mutt-2.0.2: bump for CVE-2020-28896
    
    Bug: https://bugs.gentoo.org/755866
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                                 | 4 ++--
 mail-client/mutt/{mutt-2.0.0.ebuild => mutt-2.0.2.ebuild} | 3 ---
 2 files changed, 2 insertions(+), 5 deletions(-)
Comment 3 Sam James archtester gentoo-dev Security 2020-11-20 19:00:11 UTC
Let us know when ready to stable, thank you for the quick bump!
Comment 4 Fabian Groffen gentoo-dev 2020-11-20 19:06:32 UTC
mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix (not affecting Linux) and the small bugfix for the CVE.  mutt-2.0.0 was introduced Nov 9.  Considering 2.0.2 as a behaviour controlled close to indentical to 2.0.0, normal stabilisation rules would allow earliest stabilisation Dec 9th.
Comment 5 Sam James archtester gentoo-dev Security 2020-11-20 22:11:48 UTC
(In reply to Fabian Groffen from comment #4)
> mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix
> (not affecting Linux) and the small bugfix for the CVE.  mutt-2.0.0 was
> introduced Nov 9.  Considering 2.0.2 as a behaviour controlled close to
> indentical to 2.0.0, normal stabilisation rules would allow earliest
> stabilisation Dec 9th.

We don't need to apply the normal rules for security bugs, it's usually ASAP, provided you're satisfied it works.

Given this has just come off the back of 2.0.0, we'll give it a few days, see if any bugs pop up, and go from there?
Comment 6 Fabian Groffen gentoo-dev 2020-11-21 08:56:44 UTC
I've been using it non-stop since it's introduction, I think it's OK for stabilisation, but let's give it the weekend to see if anything pops up.
Comment 7 Sam James archtester gentoo-dev Security 2020-11-22 03:22:11 UTC
(In reply to Fabian Groffen from comment #6)
> I've been using it non-stop since it's introduction, I think it's OK for
> stabilisation, but let's give it the weekend to see if anything pops up.

ACK, thanks Fabian!
Comment 8 Sam James archtester gentoo-dev Security 2020-11-24 10:34:40 UTC
Ready to roll, I assume? :)
Comment 9 Fabian Groffen gentoo-dev 2020-11-24 10:36:02 UTC
yes, go ahead
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-11-25 10:28:26 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-11-25 12:13:26 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-11-25 12:14:12 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-11-25 12:15:11 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-11-26 06:56:43 UTC
ppc64 stable
Comment 15 Sam James archtester gentoo-dev Security 2020-11-26 08:28:46 UTC
arm done
Comment 16 Sergei Trofimovich gentoo-dev 2020-11-26 23:14:35 UTC
hppa stable
Comment 17 John Helmert III (ajak) gentoo-dev Security 2020-11-26 23:25:28 UTC
All arches done, thanks ATs!

Maintainer, please cleanup.
Comment 18 Larry the Git Cow gentoo-dev 2020-11-27 08:00:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=485d5cdad8ecfbfafb6dbfa54a9e059211a2e747

commit 485d5cdad8ecfbfafb6dbfa54a9e059211a2e747
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-11-27 08:00:26 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-11-27 08:00:26 +0000

    mail-client/mutt: cleanup old
    
    Bug: https://bugs.gentoo.org/755866
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                          |   6 -
 .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch  |  30 ---
 mail-client/mutt/mutt-1.14.4-r1.ebuild             | 273 ---------------------
 mail-client/mutt/mutt-1.14.5.ebuild                | 265 --------------------
 mail-client/mutt/mutt-1.14.7.ebuild                | 265 --------------------
 5 files changed, 839 deletions(-)
Comment 19 Sam James archtester gentoo-dev Security 2021-01-26 00:25:24 UTC
Obsoleted by bug 765790.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 23:44:12 UTC
This issue was resolved and addressed in
 GLSA 202101-32 at https://security.gentoo.org/glsa/202101-32
by GLSA coordinator Sam James (sam_c).