Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 788391 - <mail-client/neomutt-20210205-r1: Out of bounds read in IMAP parser (CVE-2021-32055)
Summary: <mail-client/neomutt-20210205-r1: Out of bounds read in IMAP parser (CVE-2021...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2021-32055
  Show dependency tree
 
Reported: 2021-05-05 16:39 UTC by Sam James
Modified: 2021-05-26 08:09 UTC (History)
1 user (show)

See Also:
Package list:
mail-client/neomutt-20210205-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-05 16:39:25 UTC
See tracker.

Please apply this patch: https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc unless a release is coming soon?
Comment 1 Nicolas Bock gentoo-dev 2021-05-05 22:00:57 UTC
I submitted a patched revision for review at https://github.com/gentoo/gentoo/pull/20694

Thanks1
Comment 2 Larry the Git Cow gentoo-dev 2021-05-06 14:26:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86a4861e461e295b66844592352e95ae610d1083

commit 86a4861e461e295b66844592352e95ae610d1083
Author:     Nicolas Bock <nicolasbock@gentoo.org>
AuthorDate: 2021-05-05 21:54:19 +0000
Commit:     Nicolas Bock <nicolasbock@gentoo.org>
CommitDate: 2021-05-06 14:26:32 +0000

    mail-client/neomutt: neomutt-20210205-r1
    
    * Applied 0001-Fix-seqset-iterator-when-it-ends-in-a-comma.patch
    
    Bug: https://bugs.gentoo.org/788391
    Closes: https://github.com/gentoo/gentoo/pull/20694
    Signed-off-by: Nicolas Bock <nicolasbock@gentoo.org>

 ...x-seqset-iterator-when-it-ends-in-a-comma.patch |  37 +++++
 mail-client/neomutt/neomutt-20210205-r1.ebuild     | 156 +++++++++++++++++++++
 2 files changed, 193 insertions(+)
Comment 3 Nicolas Bock gentoo-dev 2021-05-06 14:32:05 UTC
Closing with patched version available in tree.
Comment 4 Sam James archtester gentoo-dev Security 2021-05-06 17:48:22 UTC
Thanks! We need to stable it now though (and later clean up, possibly GLSA). Let us know when it is ready
Comment 5 Nicolas Bock gentoo-dev 2021-05-07 15:11:57 UTC
Do you want to give it the usual 30 days before stabilization? Or base that timeframe on the existence of neomutt-20210205?
Comment 6 Sam James archtester gentoo-dev Security 2021-05-09 06:08:25 UTC
(In reply to Nicolas Bock from comment #5)
> Do you want to give it the usual 30 days before stabilization? Or base that
> timeframe on the existence of neomutt-20210205?

Usually, we go pretty fast with security ones if not much changed. Maybe try it for a few days and see if it looks OK, and let us know?
Comment 7 Nicolas Bock gentoo-dev 2021-05-10 19:08:08 UTC
Perfect. Will do.
Comment 8 Sam James archtester gentoo-dev Security 2021-05-16 07:56:41 UTC
OK to go?
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-25 18:58:28 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-05-25 19:10:43 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Thomas Deutschmann gentoo-dev Security 2021-05-25 21:58:30 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:07:29 UTC
This issue was resolved and addressed in
 GLSA 202105-05 at https://security.gentoo.org/glsa/202105-05
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Larry the Git Cow gentoo-dev 2021-05-26 08:09:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57995b9b5da2f30571e8ef0221616f8f5018d624

commit 57995b9b5da2f30571e8ef0221616f8f5018d624
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-26 08:09:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-26 08:09:33 +0000

    mail-client/neomutt: security cleanup
    
    Bug: https://bugs.gentoo.org/788391
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/neomutt/Manifest                   |   1 -
 mail-client/neomutt/neomutt-20201127-r1.ebuild | 152 -------------------------
 mail-client/neomutt/neomutt-20201127.ebuild    | 152 -------------------------
 mail-client/neomutt/neomutt-20210205.ebuild    | 152 -------------------------
 4 files changed, 457 deletions(-)