661436 – (CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14362) <mail-client/mutt-1.10.1: Multiple vulnerabilities

Bug 661436 (CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14362) - <mail-client/mutt-1.10.1: Multiple vulnerabilities

Summary: <mail-client/mutt-1.10.1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14362

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-07-17 20:20 UTC by Fabian Groffen
Modified:	2018-11-23 21:24 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/9299
Package list:	mail-client/mutt-1.10.1 mail-client/neomutt-20180716
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fabian Groffen gentoo-dev

2018-07-17 20:20:13 UTC

Heya, I'm pasting an email I got from the Mutt maintainer.

I'm not sure what your process is, so feel free to close this bug and create an appropriate one.  The version with fixes mutt-1.10.1 is in the tree since yesterday.


From: "Kevin J. McCarthy" <kevin@8t8.us>                                        
To: kevin@8t8.us
Subject: mutt CVE Assignments                                                   
Date: Tue, 17 Jul 2018 12:17:36 -0700

I previously forwarded patches for the following CVEs:

* patch 0001:
  CVE-2018-14354 - imap_subscribe Remote Code Execution
  CVE-2018-14357 - LSUB Remote Code Execution

* patch 0002:
CVE-2018-14362 - POP Message Cache Directory Traversal

* patch 0003:
CVE-2018-14355 - STATUS mailbox header cache directory traversal


The other CVEs below have links to our git repos.  I'm grouping them
here because some share commits:

* https://gitlab.com/muttmua/mutt/commit/9347b5c01dc52682cb6be11539d9b7ebceae441
6
CVE-2018-14349 - NO Response Heap Overflow

* https://gitlab.com/muttmua/mutt/commit/3287534daa3beac68e2e83ca4b4fe8a3148ff87
0
CVE-2018-14350 - INTERNALDATE Stack Overflow
CVE-2018-14358 - RFC822.SIZE Stack Overflow

* https://gitlab.com/muttmua/mutt/commit/e57a8602b45f58edf7b3ffb61bb17525d75dfcb
1
CVE-2018-14351 - STATUS Literal Length relative write

* https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865
d
CVE-2018-14352 - imap_quote_string off-by-one stack overflow
CVE-2018-14353 - imap_quote_string int underflow

* https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c
6
CVE-2018-14356 - POP empty UID NULL deref

* https://gitlab.com/muttmua/mutt/commit/3d9028fec8f4d08db2251096307c0bbbebce669
a
CVE-2018-14359 - base64 decode Stack Overflow

-Kevin

----- Forwarded message from Jeriko One <jeriko.one@gmx.us> -----

Date: Tue, 17 Jul 2018 12:39:29 -0500
From: Jeriko One <jeriko.one@gmx.us>
To: kevin@8t8.us
Subject: CVE Assignments

Hello Kevin,

The following CVEs have been assigned.

CVE-2018-14349 - NO Response Heap Overflow
CVE-2018-14350 - INTERNALDATE Stack Overflow
CVE-2018-14351 - STATUS Literal Length relative write
CVE-2018-14352 - imap_quote_string off-by-one stack overflow
CVE-2018-14353 - imap_quote_string int underflow
CVE-2018-14354 - imap_subscribe Remote Code Execution
CVE-2018-14355 - STATUS mailbox header cache directory traversal
CVE-2018-14356 - POP empty UID NULL deref
CVE-2018-14357 - LSUB Remote Code Execution
CVE-2018-14358 - RFC822.SIZE Stack Overflow
CVE-2018-14359 - base64 decode Stack Overflow
CVE-2018-14362 - POP Message Cache Directory Traversal


Thank you for your contributes to mutt.

----- End forwarded message -----

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-07-17 20:40:19 UTC

(In reply to Fabian Groffen from comment #0)
> Heya, I'm pasting an email I got from the Mutt maintainer.

Thanks, Fabian! I don't see an embargoe on the vulnerabilities so I am unrestricting the bug.  Please CC arches when ready to stabilize.

Comment 2 Fabian Groffen gentoo-dev

2018-07-18 08:38:10 UTC

(In reply to Aaron Bauman from comment #1)
> Thanks, Fabian! I don't see an embargoe on the vulnerabilities so I am
> unrestricting the bug.  Please CC arches when ready to stabilize.

Yup, that was just me hoping to be on the safe side of things :)

@arches: upstream maintainer ensured it is strongly recommended to update

1.10.1 is 1.10.1 without the security patches.

Please stabilise mail-client/mutt-1.10.1

Comment 3 Agostino Sarubbo gentoo-dev

2018-07-19 10:08:12 UTC

amd64 stable

Comment 4 Larry the Git Cow gentoo-dev

2018-07-19 20:15:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93bce19a0929127a24610120482b690147eee6af

commit 93bce19a0929127a24610120482b690147eee6af
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-19 19:37:50 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-19 20:15:04 +0000

    mail-client/mutt: stable 1.10.1 for sparc
    
    Bug: https://bugs.gentoo.org/661436
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 mail-client/mutt/mutt-1.10.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 5 Larry the Git Cow gentoo-dev

2018-07-20 08:08:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edfd9e96e510e03f350a2aff75c366ca96c69e9b

commit edfd9e96e510e03f350a2aff75c366ca96c69e9b
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-20 08:02:02 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-20 08:07:32 +0000

    mail-client/mutt: stable 1.10.1 for ia64, bug #661436
    
    Bug: https://bugs.gentoo.org/661436
    Package-Manager: Portage-2.3.43, Repoman-2.3.10
    RepoMan-Options: --include-arches="ia64"

 mail-client/mutt/mutt-1.10.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-07-20 22:42:18 UTC

x86 stable

Comment 7 Larry the Git Cow gentoo-dev

2018-07-20 22:48:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=498e282df1cc634e75d4e19cce9fca5343f187cf

commit 498e282df1cc634e75d4e19cce9fca5343f187cf
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-20 22:47:35 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-20 22:47:35 +0000

    mail-client/mutt: stable 1.10.1 for ppc64, bug #661436
    
    Bug: https://bugs.gentoo.org/661436
    Package-Manager: Portage-2.3.43, Repoman-2.3.10
    RepoMan-Options: --include-arches="ppc64"

 mail-client/mutt/mutt-1.10.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Larry the Git Cow gentoo-dev

2018-07-22 09:00:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=647a0e4f10e8972115d196e0e0e17e56f5f7eadc

commit 647a0e4f10e8972115d196e0e0e17e56f5f7eadc
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-22 08:40:41 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-22 09:00:08 +0000

    mail-client/mutt: stable 1.10.1 for hppa
    
    Bug: https://bugs.gentoo.org/661436
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="hppa"

 mail-client/mutt/mutt-1.10.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 9 Mikle Kolyada (RETIRED) archtester

2018-07-22 19:41:36 UTC

arm stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2018-07-23 08:25:31 UTC

Stable on alpha.

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-22 23:00:57 UTC

New GLSA request filed.

Comment 12 ernsteiswuerfel archtester

2018-08-31 11:40:22 UTC

Looking good on ppc.

Blocked packages are due to USE +libressl.

# cat mutt-661436.report 
USE tests started on Do 30. Aug 23:43:11 CEST 2018

FEATURES=' test' USE='' succeeded for =mail-client/mutt-1.10.1
USE='-berkdb -crypt doc -gdbm -gnutls gpg -gpgme hcache idn -imap kerberos libressl lmdb mbox -nls nntp pgp_classic -pop -qdbm sasl -slang smime -smime_classic smtp -ssl -tokyocabinet -vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='-berkdb crypt -doc -gdbm -gnutls -gpg gpgme -hcache -idn imap -kerberos libressl -lmdb -mbox -nls nntp pgp_classic -pop -qdbm sasl -slang smime smime_classic smtp -ssl -tokyocabinet -vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE tests started on Fr 31. Aug 12:01:51 CEST 2018

FEATURES=' test' USE='' succeeded for =mail-client/mutt-1.10.1
USE='-berkdb -crypt doc -gdbm -gnutls gpg -gpgme hcache idn -imap kerberos libressl lmdb mbox -nls nntp pgp_classic -pop -qdbm sasl -slang smime -smime_classic smtp -ssl -tokyocabinet -vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='-berkdb crypt -doc -gdbm -gnutls -gpg gpgme -hcache -idn imap -kerberos libressl -lmdb -mbox -nls nntp pgp_classic -pop -qdbm sasl -slang smime smime_classic smtp -ssl -tokyocabinet -vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='berkdb crypt doc gdbm gnutls -gpg gpgme hcache -idn -imap -kerberos libressl lmdb -mbox nls -nntp pgp_classic pop -qdbm sasl slang -smime -smime_classic -smtp ssl tokyocabinet -vanilla' succeeded for =mail-client/mutt-1.10.1
USE='berkdb crypt doc -gdbm -gnutls gpg -gpgme -hcache -idn -imap kerberos libressl -lmdb -mbox nls -nntp -pgp_classic pop qdbm sasl -slang -smime smime_classic smtp ssl tokyocabinet -vanilla' : blocked packages (probably) for =mail-client/mutt-1.10.1
USE='berkdb crypt doc -gdbm -gnutls gpg gpgme -hcache -idn imap kerberos libressl -lmdb mbox nls nntp pgp_classic -pop -qdbm sasl slang smime smime_classic -smtp -ssl -tokyocabinet vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='-berkdb crypt -doc -gdbm -gnutls -gpg -gpgme -hcache -idn imap -kerberos -libressl lmdb -mbox -nls -nntp pgp_classic -pop qdbm sasl -slang smime -smime_classic -smtp ssl -tokyocabinet vanilla' succeeded for =mail-client/mutt-1.10.1
USE='berkdb crypt -doc -gdbm -gnutls gpg gpgme -hcache -idn imap kerberos libressl lmdb mbox -nls nntp pgp_classic -pop -qdbm sasl -slang -smime smime_classic smtp ssl -tokyocabinet vanilla' : blocked packages (probably) for =mail-client/mutt-1.10.1
USE='berkdb crypt doc gdbm -gnutls -gpg gpgme hcache -idn imap -kerberos libressl -lmdb mbox -nls -nntp pgp_classic -pop -qdbm sasl -slang -smime -smime_classic -smtp -ssl tokyocabinet vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='berkdb crypt doc gdbm -gnutls gpg -gpgme hcache idn imap -kerberos libressl -lmdb -mbox -nls -nntp pgp_classic pop -qdbm sasl slang smime smime_classic -smtp -ssl tokyocabinet vanilla' : REQUIRED_USE not satisfied (probably) for =mail-client/mutt-1.10.1
USE='berkdb crypt doc gdbm gnutls gpg -gpgme hcache -idn -imap kerberos -libressl lmdb -mbox nls nntp pgp_classic pop qdbm -sasl -slang -smime -smime_classic -smtp ssl tokyocabinet vanilla' succeeded for =mail-client/mutt-1.10.1
USE='berkdb crypt doc -gdbm -gnutls gpg gpgme hcache -idn imap kerberos -libressl -lmdb -mbox -nls -nntp -pgp_classic pop qdbm sasl -slang smime -smime_classic -smtp ssl tokyocabinet vanilla' succeeded for =mail-client/mutt-1.10.1
USE='berkdb crypt doc gdbm -gnutls -gpg gpgme hcache idn imap -kerberos -libressl lmdb mbox nls -nntp -pgp_classic -pop qdbm -sasl slang smime -smime_classic -smtp ssl tokyocabinet vanilla' succeeded for =mail-client/mutt-1.10.1

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-08 20:25:30 UTC

ppc stable, thanks to ernsteiswuerfel!

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2018-10-06 16:57:05 UTC

Adding mail-client/neomutt as it was missed.

@arches, please stabilize.

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-06 23:07:05 UTC

x86 stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2018-10-07 00:11:03 UTC

amd64 stable

Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-30 17:50:50 UTC

@ Maintainer(s): Please cleanup and drop <mail-client/neomutt-20180716 and <mail-client/mutt-1.10.1!

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2018-10-30 21:07:29 UTC

This issue was resolved and addressed in
 GLSA 201810-07 at https://security.gentoo.org/glsa/201810-07
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-30 21:08:20 UTC

Re-opening for cleanup.

Comment 20 Larry the Git Cow gentoo-dev

2018-10-31 09:01:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=168b6360ba1239eac10847d1adce53af9ed17057

commit 168b6360ba1239eac10847d1adce53af9ed17057
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2018-10-31 08:57:05 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2018-10-31 08:57:05 +0000

    mail-client/mutt: cleanup vulnerable versions, bug #661436
    
    Bug: https://bugs.gentoo.org/661436
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 mail-client/mutt/Manifest             |   6 -
 mail-client/mutt/metadata.xml         |   1 -
 mail-client/mutt/mutt-1.7.2.ebuild    | 274 ---------------------------------
 mail-client/mutt/mutt-1.9.4-r1.ebuild | 282 ----------------------------------
 mail-client/mutt/mutt-1.9.5.ebuild    | 282 ----------------------------------
 5 files changed, 845 deletions(-)