"Hello, I noticed mutt was leaking memory whenever I opened a particular mailbox. I tracked down the problem: Using rfc822 groups without the madatory labels wasn't being parsed properly. https://tools.ietf.org/html/rfc822#section-6.2.6 (A spammer had just put some junk in there, they weren't deliberately using exotic addressing schemes.. haha). It turns out that you can send a small message that leaks a *lot* of memory. A small message can leak GBs of memory, effectively preventing you from opening your mailbox. You would need to use a different mail client to clean up the malformed message before you can use mutt again. I sent this upstream as a DoS, but they don't want to treat it as a security isssue. I though I'd just send a FYI here instead in case anyone wants to backport the patch. Here's the bug with a repro: https://gitlab.com/muttmua/mutt/-/issues/323 Here's the patch: https://gitlab.com/muttmua/mutt/-/commit/c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Tavis."
Upstream issue 323 now 404's, perhaps it has been marked private while being worked on, or something. Upstream branch working on fixes: https://gitlab.com/muttmua/mutt/-/commits/kevin/323-groupaddr-memleak
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ae82eca030da3e91b708e4ede77ddb349b15167 commit 9ae82eca030da3e91b708e4ede77ddb349b15167 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-01-18 08:46:51 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-01-18 08:48:51 +0000 mail-client/mutt-2.0.4-r1: revbump with patch for #765790 Bug: https://bugs.gentoo.org/765790 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 +- .../{mutt-2.0.3.ebuild => mutt-2.0.4-r1.ebuild} | 2 +- mail-client/mutt/mutt-2.0.4.ebuild | 265 --------------------- 3 files changed, 2 insertions(+), 269 deletions(-)
Thank you! Please stabilize when ready.
(In reply to John Helmert III (ajak) from comment #3) > Thank you! Please stabilize when ready. 2.0.5 is released with the fix if you think that will be a better stabilization candidate, grobian.
There is four commits in 2.0.5 that are new since 2.0.4, one of them the exact same as the patch I added to 2.0.4-r1. Two being other memleak fixes, that look sane enough from a glance, one fix regarding colours. I don't think it's worth the risk, let's stabilise 2.0.4-r1 today.
(In reply to Fabian Groffen from comment #5) > There is four commits in 2.0.5 that are new since 2.0.4, one of them the > exact same as the patch I added to 2.0.4-r1. Two being other memleak fixes, > that look sane enough from a glance, one fix regarding colours. > > I don't think it's worth the risk, let's stabilise 2.0.4-r1 today. Sounds good.
amd64 stable
x86 stable
sparc done
arm done
ppc64 done
ppc done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15194e17ea34e171a45a9014a6d868e505108c32 commit 15194e17ea34e171a45a9014a6d868e505108c32 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-01-25 07:25:17 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-01-25 07:25:17 +0000 mail-client/mutt-2.0.2: cleanup vulnerable version Bug: https://bugs.gentoo.org/765790 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 2 - mail-client/mutt/mutt-2.0.2.ebuild | 265 ------------------------------------- 2 files changed, 267 deletions(-)
This issue was resolved and addressed in GLSA 202101-25 at https://security.gentoo.org/glsa/202101-25 by GLSA coordinator Sam James (sam_c).