--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org
Hi release team,
Please unblock package mutt
[ Reason ]
mutt in bullseye is affected by CVE-2021-32055, #988106. Should thoug
be noted that the $imap_qresync setting for QRESYNC is not enabled by
default. It looked to me still worth trying to get the fix into
bullseye before the release.
Note, the same issue would have affected as well neomutt, but back
when I prepared the NMU for mutt, I did unfortunately not found time
to do as well the neomutt NMU. This is surely kind of unfortunate :(
[ Impact ]
CVE-2021-32055 would remain open.
[ Tests ]
None specifically.
[ Risks ]
Would consider it low, and it is a feature not used by default. The
package was 22 days now in unstable without any regression report
reported specifically targetting this update.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None.
unblock mutt/2.0.5-4.1
Regards,
Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog
--- mutt-2.0.5/debian/changelog 2021-03-20 17:26:12.000000000 +0100
+++ mutt-2.0.5/debian/changelog 2021-06-06 21:11:36.000000000 +0200
@@ -1,3 +1,11 @@
+mutt (2.0.5-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix seqset iterator when it ends in a comma (CVE-2021-32055)
+ (Closes: #988106)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 06 Jun 2021 21:11:36 +0200
+
mutt (2.0.5-4) unstable; urgency=medium
* debian/patches:
diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series
--- mutt-2.0.5/debian/patches/series 2021-03-20 17:24:06.000000000 +0100
+++ mutt-2.0.5/debian/patches/series 2021-06-06 21:11:36.000000000 +0200
@@ -13,3 +13,4 @@
upstream/528233-readonly-open.patch
upstream/980924-updated-german-translation.patch
upstream/985152-body-color-slowness.patch
+upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
--- mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch 1970-01-01 01:00:00.000000000 +0100
+++ mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch 2021-06-06 21:11:36.000000000 +0200
@@ -0,0 +1,39 @@
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 3 May 2021 13:11:30 -0700
+Subject: Fix seqset iterator when it ends in a comma.
+Origin: https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
+Bug-Debian: https://bugs.debian.org/988106
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32055
+
+If the seqset ended with a comma, the substr_end marker would be just
+before the trailing nul. In the next call, the loop to skip the
+marker would iterate right past the end of string too.
+
+The fix is simple: place the substr_end marker and skip past it
+immediately.
+---
+ imap/util.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/imap/util.c b/imap/util.c
+index c529fd8fba3c..488e8396d269 100644
+--- a/imap/util.c
++++ b/imap/util.c
+@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, unsigned int *next)
+ if (iter->substr_cur == iter->eostr)
+ return 1;
+
+- while (!*(iter->substr_cur))
+- iter->substr_cur++;
+ iter->substr_end = strchr (iter->substr_cur, ',');
+ if (!iter->substr_end)
+ iter->substr_end = iter->eostr;
+ else
+- *(iter->substr_end) = '\0';
++ *(iter->substr_end++) = '\0';
+
+ range_sep = strchr (iter->substr_cur, ':');
+ if (range_sep)
+--
+2.32.0.rc0
+
--- End Message ---