From unknown Sun Jun 15 01:05:55 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#32373] neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-14363) Resent-From: Nils Gillmann Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 06 Aug 2018 09:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 32373 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 32373@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.153354771824090 (code B ref -1); Mon, 06 Aug 2018 09:29:01 +0000 Received: (at submit) by debbugs.gnu.org; 6 Aug 2018 09:28:38 +0000 Received: from localhost ([127.0.0.1]:42273 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmboc-0006GU-4Z for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:38 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmboa-0006GI-Hx for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmboU-00032b-3e for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:31 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42228) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fmboT-00032E-VU for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fmboS-0002Qn-P9 for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmboR-0002zn-Np for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:28 -0400 Received: from conspiracy.of.n0.is ([2a01:4f8:1c0c:7ad0::1]:37478) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fmboR-0002y1-By for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:27 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 4b1a644e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 6 Aug 2018 09:28:25 +0000 (UTC) Date: Mon, 6 Aug 2018 09:29:10 +0000 From: Nils Gillmann Message-ID: <20180806092910.4xv3lgbaszjrtibi@abyayala> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="fzqcljim7qy36wcn" Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.4 (-----) --fzqcljim7qy36wcn Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, sorry for being late on this important update, life kept me busy. =46rom the release notes: > Notes > This is a small, but intensive, bug-fix release. > It fixes some important security holes, so upgrading is strongly recommen= ded. > Some large architectural changes are coming, so the next release may be s= ome months away. > > Security > CVE-2018-14349 - NO Response Heap Overflow > CVE-2018-14350 - INTERNALDATE Stack Overflow > CVE-2018-14351 - STATUS Literal Length relative write > CVE-2018-14352 - imap_quote_string off-by-one stack overflow > CVE-2018-14353 - imap_quote_string int underflow > CVE-2018-14354 - imap_subscribe Remote Code Execution > CVE-2018-14355 - STATUS mailbox header cache directory traversal > CVE-2018-14356 - POP empty UID NULL deref > CVE-2018-14357 - LSUB Remote Code Execution > CVE-2018-14358 - RFC822.SIZE Stack Overflow > CVE-2018-14359 - base64 decode Stack Overflow > CVE-2018-14360 - NNTP Group Stack Overflow > CVE-2018-14361 - NNTP Write 1 where via GROUP response > CVE-2018-14362 - POP Message Cache Directory Traversal > CVE-2018-14363 - NNTP Header Cache Directory Traversal --fzqcljim7qy36wcn Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-neomutt-Update-to-20180716-fixes-CVE-2018-14349-.patch" Content-Transfer-Encoding: quoted-printable =46rom f710fd747ec39391c67a2b3d38294cdd81146186 Mon Sep 17 00:00:00 2001 =46rom: Nils Gillmann Date: Mon, 6 Aug 2018 09:15:35 +0000 Subject: [PATCH] gnu: neomutt: Update to 20180716 [fixes CVE-2018-{14349,14350,14351,14352,14353,14354,14355,14356,14357,14358,1435= 9,14360,14361,14362,14363}]. * gnu/packages/mail.scm (neomutt): Update to 20180716. Signed-off-by: Nils Gillmann --- gnu/packages/mail.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 67f490d41..2a6a17c80 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -300,7 +300,7 @@ operating systems.") (define-public neomutt (package (name "neomutt") - (version "20180323") + (version "20180716") (source (origin (method url-fetch) @@ -308,7 +308,7 @@ operating systems.") "/archive/" name "-" version ".tar.gz")) (sha256 (base32 - "12v7zkm809cvjxfz0n7jb4qa410ns1ydyf0gjin99vbdrlj88jac")))) + "0072in2d6znwqq461shsaxlf40r4zr7w3j9848qvm4xlh1lq52dx")))) (build-system gnu-build-system) (inputs `(("cyrus-sasl" ,cyrus-sasl) --=20 2.18.0 --fzqcljim7qy36wcn-- From unknown Sun Jun 15 01:05:55 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Nils Gillmann Subject: bug#32373: closed (Re: [bug#32373] neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-14363)) Message-ID: References: <20180806101128.GB32130@macbook41> <20180806092910.4xv3lgbaszjrtibi@abyayala> X-Gnu-PR-Message: they-closed 32373 X-Gnu-PR-Package: guix-patches Reply-To: 32373@debbugs.gnu.org Date: Mon, 06 Aug 2018 10:12:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1533550322-28100-1" This is a multi-part message in MIME format... ------------=_1533550322-28100-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #32373: neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-1= 4363) which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 32373@debbugs.gnu.org. --=20 32373: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D32373 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1533550322-28100-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 32373-done) by debbugs.gnu.org; 6 Aug 2018 10:11:36 +0000 Received: from localhost ([127.0.0.1]:42297 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmcUC-0007IV-1c for submit@debbugs.gnu.org; Mon, 06 Aug 2018 06:11:36 -0400 Received: from flashner.co.il ([178.62.234.194]:37606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmcUB-0007IJ-25 for 32373-done@debbugs.gnu.org; Mon, 06 Aug 2018 06:11:35 -0400 Received: from localhost (unknown [141.226.10.13]) by flashner.co.il (Postfix) with ESMTPSA id 3AB4F40045 for <32373-done@debbugs.gnu.org>; Mon, 6 Aug 2018 10:11:29 +0000 (UTC) Date: Mon, 6 Aug 2018 13:11:28 +0300 From: Efraim Flashner To: 32373-done@debbugs.gnu.org Subject: Re: [bug#32373] neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-14363) Message-ID: <20180806101128.GB32130@macbook41> References: <20180806092910.4xv3lgbaszjrtibi@abyayala> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline In-Reply-To: <20180806092910.4xv3lgbaszjrtibi@abyayala> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 32373-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Applied as 46add5615a49c0fbd125296be8a114b04a03412c --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAltoHs8ACgkQQarn3Mo9 g1ErAQ//X2JEZOjCU/bwqFYF3suSSeEO77AhKUM29sCd2aCPk6CHPsoILAULpyHJ AQOo1/oiCKNvJmkjZJoPRadFwPRq9pt5c7jVxnjOBXYuCGKBAukEKlNGyLcihtTH +/V5lHvQScossn9siQ73we0BDFvC+qd0/EifYWfdBi8oFBJkj+ah0I14XW9Epgnm gbz1DNV5BtqZwT+pDM2Vms7zEPmlufwGPllbqNI+E7rU3/bNWbSDUCKX5ktD6P2b 7FkVMJxbRZkKy2AxFB4nO48Q1p/k/xZigkjkkeLAg/n6NjPf87z5xlYa5Uu9IAXy 7T+iAqrKG/TQrSi5Kx9h6F7GkWrR9hdPVjaA5D0wb7abV5PPVtAGJRcvOGYr8KAq +ImQV3Y16FlDxxwkrIExZ6pRQRqOyUWjTr3R9r5NnpBNYUlnuprAKP8ARZidIkuL yxrMuLllQ5ZrMRo4ajdSKDkypg/G2t8MVsUuzmYQpGU4LBtOA7+LEbtVMlSDfIT4 g7yL3EJzaL7ENzn8/pOOgllxSF5lYUB6E/CdWAYaqr2Z3Y2sQ5w/lSFVtlwWKVt+ Uth0aVLQUIUFBpvKo7eO+JbLc4NW3PrAU2tAUOBvpugDX6HSIk5M4yhNSTC7sCd6 0yyH1spJudjcaPIHJsu4Q+vrNXKGTTEWZ1L9P2v8AZCWRe3DJ/g= =P75z -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R-- ------------=_1533550322-28100-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Aug 2018 09:28:38 +0000 Received: from localhost ([127.0.0.1]:42273 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmboc-0006GU-4Z for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:38 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fmboa-0006GI-Hx for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmboU-00032b-3e for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:31 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42228) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fmboT-00032E-VU for submit@debbugs.gnu.org; Mon, 06 Aug 2018 05:28:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fmboS-0002Qn-P9 for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmboR-0002zn-Np for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:28 -0400 Received: from conspiracy.of.n0.is ([2a01:4f8:1c0c:7ad0::1]:37478) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fmboR-0002y1-By for guix-patches@gnu.org; Mon, 06 Aug 2018 05:28:27 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 4b1a644e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 6 Aug 2018 09:28:25 +0000 (UTC) Date: Mon, 6 Aug 2018 09:29:10 +0000 From: Nils Gillmann To: guix-patches@gnu.org Subject: neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-14363) Message-ID: <20180806092910.4xv3lgbaszjrtibi@abyayala> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="fzqcljim7qy36wcn" Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.4 (-----) --fzqcljim7qy36wcn Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, sorry for being late on this important update, life kept me busy. =46rom the release notes: > Notes > This is a small, but intensive, bug-fix release. > It fixes some important security holes, so upgrading is strongly recommen= ded. > Some large architectural changes are coming, so the next release may be s= ome months away. > > Security > CVE-2018-14349 - NO Response Heap Overflow > CVE-2018-14350 - INTERNALDATE Stack Overflow > CVE-2018-14351 - STATUS Literal Length relative write > CVE-2018-14352 - imap_quote_string off-by-one stack overflow > CVE-2018-14353 - imap_quote_string int underflow > CVE-2018-14354 - imap_subscribe Remote Code Execution > CVE-2018-14355 - STATUS mailbox header cache directory traversal > CVE-2018-14356 - POP empty UID NULL deref > CVE-2018-14357 - LSUB Remote Code Execution > CVE-2018-14358 - RFC822.SIZE Stack Overflow > CVE-2018-14359 - base64 decode Stack Overflow > CVE-2018-14360 - NNTP Group Stack Overflow > CVE-2018-14361 - NNTP Write 1 where via GROUP response > CVE-2018-14362 - POP Message Cache Directory Traversal > CVE-2018-14363 - NNTP Header Cache Directory Traversal --fzqcljim7qy36wcn Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-neomutt-Update-to-20180716-fixes-CVE-2018-14349-.patch" Content-Transfer-Encoding: quoted-printable =46rom f710fd747ec39391c67a2b3d38294cdd81146186 Mon Sep 17 00:00:00 2001 =46rom: Nils Gillmann Date: Mon, 6 Aug 2018 09:15:35 +0000 Subject: [PATCH] gnu: neomutt: Update to 20180716 [fixes CVE-2018-{14349,14350,14351,14352,14353,14354,14355,14356,14357,14358,1435= 9,14360,14361,14362,14363}]. * gnu/packages/mail.scm (neomutt): Update to 20180716. Signed-off-by: Nils Gillmann --- gnu/packages/mail.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 67f490d41..2a6a17c80 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -300,7 +300,7 @@ operating systems.") (define-public neomutt (package (name "neomutt") - (version "20180323") + (version "20180716") (source (origin (method url-fetch) @@ -308,7 +308,7 @@ operating systems.") "/archive/" name "-" version ".tar.gz")) (sha256 (base32 - "12v7zkm809cvjxfz0n7jb4qa410ns1ydyf0gjin99vbdrlj88jac")))) + "0072in2d6znwqq461shsaxlf40r4zr7w3j9848qvm4xlh1lq52dx")))) (build-system gnu-build-system) (inputs `(("cyrus-sasl" ,cyrus-sasl) --=20 2.18.0 --fzqcljim7qy36wcn-- ------------=_1533550322-28100-1--