[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#975514: marked as done (buster-pu: package mutt/1.10.1-2.1+deb10u4)

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #975514,
regarding buster-pu: package mutt/1.10.1-2.1+deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
975514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975514
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
This is a fix for CVE-2020-28896, discussed with two members of the security
team (Moritz Muehlenhoff and Salvatore Bonaccorso) whether to do a DSA, in the
end it was decided, given that this requires a malicious server, to add it to
the next point release, which is happening soon.

[ Impact ]
Same as the CVE, a malicious server could force the client to send the
credential over an unencrypted connection.

[ Tests ]
(What automated or manual tests cover the affected code?)

[ Risks ]
See impact.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
A two line patch provided by the maintainer and checked by myself, already in
unstable.

[ Other info ]
Security team is aware, I've already done the upload to shorten your review
time.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog
--- mutt-1.10.1/debian/changelog	2020-07-02 16:45:23.000000000 +0200
+++ mutt-1.10.1/debian/changelog	2020-11-23 09:26:09.000000000 +0100
@@ -1,3 +1,10 @@
+mutt (1.10.1-2.1+deb10u4) buster; urgency=medium
+
+  * debian/patches:
+    + fix for CVE-2020-28896 located in security/CVE-2020-28896.patch.
+
+ -- Antonio Radici <antonio@debian.org>  Mon, 23 Nov 2020 09:26:09 +0100
+
 mutt (1.10.1-2.1+deb10u3) buster; urgency=medium
 
   * debian/patches:
diff -Nru mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch
--- mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch	2020-11-23 09:26:09.000000000 +0100
@@ -0,0 +1,39 @@
+From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 16 Nov 2020 10:20:21 -0800
+Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
+
+During connection, if the server provided an illegal initial response,
+Mutt "bailed", but did not actually close the connection.  The calling
+code unfortunately relied on the connection status to decide to
+continue with authentication, instead of checking the "bail" return
+value.
+
+This could result in authentication credentials being sent over an
+unencrypted connection, without $ssl_force_tls being consulted.
+
+Fix this by strictly closing the connection on any invalid response
+during connection.  The fix is intentionally small, to ease
+backporting.  A better fix would include removing the 'err_close_conn'
+label, and perhaps adding return value checking in the caller (though
+this change obviates the need for that).
+
+This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
+reporting the problem, and providing test cases to reproduce.
+---
+ imap/imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -524,9 +524,9 @@
+ 
+ #if defined(USE_SSL)
+  err_close_conn:
+-  imap_close_connection (idata);
+ #endif
+  bail:
++  imap_close_connection (idata);
+   FREE (&idata->capstr);
+   return -1;
+ }
diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series
--- mutt-1.10.1/debian/patches/series	2020-07-02 16:44:08.000000000 +0200
+++ mutt-1.10.1/debian/patches/series	2020-11-23 09:24:54.000000000 +0100
@@ -16,4 +16,5 @@
 security/CVE-2020-14093.patch
 security/CVE-2020-14154.patch
 security/CVE-not-yet-released.patch
+security/CVE-2020-28896.patch
 upstream/imap-preauth-and-ssh-tunnel.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---
Reply to: