[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#975616: marked as done (buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2)

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #975616,
regarding buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
975616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975616
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jmm@inutil.org, carnil@debian.org

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
Same as bugs.debian.org/975514, except that one is for mutt, this one for
neomutt. The patch is the same and it addresses the same CVE (CVE-2020-28896).

Security team is aware, they suggested to go through the route of buster-updates
rather than DSA for this particular issue.

debdiff is attached, I've also done an upload already.

[ Impact ]
Prevent login information to be sent over an encrypted connection when certain
conditions happen.

[ Tests ]
(What automated or manual tests cover the affected code?)

[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
See the "Reason" section.

[ Other info ]
(Anything else the release team should know.)

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru neomutt-20180716+dfsg.1/debian/changelog neomutt-20180716+dfsg.1/debian/changelog
--- neomutt-20180716+dfsg.1/debian/changelog	2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/changelog	2020-11-24 07:55:28.000000000 +0100
@@ -1,3 +1,11 @@
+neomutt (20180716+dfsg.1-1+deb10u2) buster; urgency=medium
+
+  * debian/patches:
+    + security/CVE-2020-28896.patch: handle the relevant CVE to stop sending
+      login information over an encrypted connections in certain conditions.
+
+ -- Antonio Radici <antonio@debian.org>  Tue, 24 Nov 2020 07:55:28 +0100
+
 neomutt (20180716+dfsg.1-1+deb10u1) buster-security; urgency=high
 
   * debian/patches:
diff -Nru neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch
--- neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch	1970-01-01 01:00:00.000000000 +0100
+++ neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch	2020-11-24 07:55:28.000000000 +0100
@@ -0,0 +1,39 @@
+From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 16 Nov 2020 10:20:21 -0800
+Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
+
+During connection, if the server provided an illegal initial response,
+Mutt "bailed", but did not actually close the connection.  The calling
+code unfortunately relied on the connection status to decide to
+continue with authentication, instead of checking the "bail" return
+value.
+
+This could result in authentication credentials being sent over an
+unencrypted connection, without $ssl_force_tls being consulted.
+
+Fix this by strictly closing the connection on any invalid response
+during connection.  The fix is intentionally small, to ease
+backporting.  A better fix would include removing the 'err_close_conn'
+label, and perhaps adding return value checking in the caller (though
+this change obviates the need for that).
+
+This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
+reporting the problem, and providing test cases to reproduce.
+---
+ imap/imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -1110,9 +1110,9 @@
+ 
+ #ifdef USE_SSL
+ err_close_conn:
+-  imap_close_connection(idata);
+ #endif
+ bail:
++  imap_close_connection(idata);
+   FREE(&idata->capstr);
+   return -1;
+ }
diff -Nru neomutt-20180716+dfsg.1/debian/patches/series neomutt-20180716+dfsg.1/debian/patches/series
--- neomutt-20180716+dfsg.1/debian/patches/series	2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/patches/series	2020-11-24 07:55:28.000000000 +0100
@@ -4,3 +4,4 @@
 misc/smime.rc.patch
 security/CVE-2020-14093.patch
 security/handle-starttls.patch
+security/CVE-2020-28896.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---
Reply to: