Your message dated Mon, 29 Aug 2016 05:22:19 +0000 with message-id <e1bef1x-0005vz...@franck.debian.org> and subject line Bug#835421: fixed in mutt 1.7.0-1 has caused the Debian Bug report #835421, regarding mutt: Bug in POP3 authentication via SASL mechanism DIGEST-MD5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 835421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835421 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mutt Version: 1.5.23-3 Severity: normal Tags: patch upstream According to <https://tools.ietf.org/html/rfc5034#section-6>, the DIGEST-MD5 authentication should proceed along a sequence similar to the following: 1. C: AUTH DIGEST-MD5 2. S: + base64-encoded-server-challenge 3. C: base64-encoded-client-response 4. S: + base64-encoded-server-auth-confirmation 5. C: 6. S: +OK Maildrop locked and ready In fact, even if the server grants access, mutt detects a spurious error, sends the server a standalone "*" to request protocol shutdown, and fails. The problem stems from the fact that the pop_auth_sasl() in file pop_auth.c incorrectly terminates the SASL protocol at step 4, then checks that the last message from the server ("+ base64-encoded-server-auth-confirmation") starts with "+OK", and of course fails. I believe the attached patch fixes the problem. Best regards, g.b. -- Package-specific info: Mutt 1.5.23 (2014-03-12) Copyright (C) 1996-2009 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: Linux 3.16.0-4-amd64 (x86_64) ncurses: ncurses 5.9.20140913 (compiled with 5.9) libidn: 1.29 (compiled with 1.29) hcache backend: tokyocabinet 1.4.48 Compiler: Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.2-4' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.9.2 (Debian 4.9.2-4) Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with-mailpath=/var/mail' '--disable-dependency-tracking' '--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2 -I/usr/include/qdbm' Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall Compile options: -DOMAIN +DEBUG -HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK +USE_POP +USE_IMAP +USE_SMTP -USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO +HAVE_REGCOMP -USE_GNU_REGEX +HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET +HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME -EXACT_ADDRESS -SUN_ATTACHMENT +ENABLE_NLS -LOCALES_HACK +COMPRESSED +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE -ISPELL SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/usr/share/mutt" SYSCONFDIR="/etc" EXECSHELL="/bin/sh" MIXMASTER="mixmaster" To contact the developers, please mail to <mutt-...@mutt.org>. To report a bug, please visit http://bugs.mutt.org/. misc/am-maintainer-mode.patch features/ifdef.patch features/xtitles.patch features/trash-folder.patch features/purge-message.patch features/imap_fast_trash.patch features/sensible_browser_position.patch features-old/patch-1.5.4.vk.pgp_verbose_mime.patch features/compressed-folders.patch features/compressed-folders.debian.patch debian-specific/Muttrc.patch debian-specific/Md.etc_mailname_gethostbyname.patch debian-specific/use_usr_bin_editor.patch debian-specific/correct_docdir_in_man_page.patch debian-specific/dont_document_not_present_features.patch debian-specific/document_debian_defaults.patch debian-specific/assumed_charset-compat.patch debian-specific/467432-write_bcc.patch debian-specific/566076-build_doc_adjustments.patch misc/define-pgp_getkeys_command.patch misc/gpg.rc-paths.patch misc/smime.rc.patch misc/fix-configure-test-operator.patch upstream/531430-imapuser.patch upstream/543467-thread-segfault.patch upstream/542817-smimekeys-tmpdir.patch upstream/548577-gpgme-1.2.patch upstream/553321-ansi-escape-segfault.patch upstream/547980-smime_keys-chaining.patch upstream/528233-readonly-open.patch upstream/228671-pipe-mime.patch upstream/383769-score-match.patch upstream/603288-split-fetches.patch upstream/611410-no-implicit_autoview-for-text-html.patch upstream/path_max.patch translations/update_german_translation.patch upstream/771125-CVE-2014-9116-jessie.patch __separator__mutt.org.patch -- System Information: Debian Release: 8.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages mutt depends on: ii libassuan0 2.1.2-2 ii libc6 2.19-18+deb8u4 ii libcomerr2 1.42.12-1.1 ii libgnutls-deb0-28 3.3.8-6+deb8u3 ii libgpg-error0 1.17-3 ii libgpgme11 1.5.1-6 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libidn11 1.29-1+deb8u1 ii libk5crypto3 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii libncursesw5 5.9+20140913-1+b1 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libtinfo5 5.9+20140913-1+b1 ii libtokyocabinet9 1.4.48-3 Versions of packages mutt recommends: ii exim4-daemon-light [mail-transport-agent] 4.84.2-2+deb8u1 ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1 ii locales 2.19-18+deb8u4 ii mime-support 3.58 Versions of packages mutt suggests: ii ca-certificates 20141019+deb8u1 ii gnupg 1.4.18-7+deb8u2 ii ispell 3.3.02-6 pn mixmaster <none> ii openssl 1.0.1t-1+deb8u2 ii urlview 0.9-19 Versions of packages mutt is related to: ii mutt 1.5.23-3 pn mutt-dbg <none> pn mutt-patched <none> -- no debconf information--- pop_auth.c 2014-03-12 17:03:45.000000000 +0100 +++ my-pop_auth.c 2016-08-25 14:24:59.985430466 +0200 @@ -116,7 +116,7 @@ client_start = 0; } - if (rc != SASL_CONTINUE && (olen == 0 || rc != SASL_OK)) + if (rc == SASL_FAIL || !mutt_strncmp(inbuf, "+OK", 3) || !mutt_strncmp(inbuf, "-ERR", 4)) break; /* send out response, or line break if none needed */
--- End Message ---
--- Begin Message ---Source: mutt Source-Version: 1.7.0-1 We believe that the bug you reported is fixed in the latest version of mutt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 835...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Radici <anto...@debian.org> (supplier of updated mutt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 28 Aug 2016 15:10:08 +0100 Source: mutt Binary: mutt Architecture: source Version: 1.7.0-1 Distribution: unstable Urgency: medium Maintainer: Mutt maintainers <pkg-mutt-maintain...@lists.alioth.debian.org> Changed-By: Antonio Radici <anto...@debian.org> Description: mutt - text-based mailreader supporting MIME, GPG, PGP and threading Closes: 693993 741166 749483 823971 835421 Changes: mutt (1.7.0-1) unstable; urgency=medium . * New upstream release. * New upstream NeoMutt release, 2016-08-27. - neomutt-devel/restore-docfile-installation.patch removed (already upstream). * debian/patches: + some patches refreshed. + debian-specific/document_debian_defaults.patch updated to remove an incorrect reference to a default variable (Closes: 741166). + upstream/611410-no-implicit_autoview-for-text-html.patch restored, it was incorrectly dropped (Closes: 823971). + upstream/835421-pop-digest-md5.patch to incorrectly handle pop DIGEST-MD5 auth (Closes: 835421). + upstream/693993-manpage-corrections.patch with some fixes to the manpage (Closes: 693993). + upstream/749483-conststrings.patch fixes a conflicting declaration (Closes: 749483) Checksums-Sha1: 0afb465cbb0ba72d8302ed0780aca117c190ef49 2165 mutt_1.7.0-1.dsc 0d9c0ae7d4725e2216ea0c1271ae19ab8bcf653b 4019567 mutt_1.7.0.orig.tar.gz fcf0dfd4eed2cc109c7a3068410f8e5d6fb1b57f 249516 mutt_1.7.0-1.debian.tar.xz Checksums-Sha256: 1c1e46303946c581a879cfab6575df43b3ce0bb5d16706460c3bcceac9d6e29a 2165 mutt_1.7.0-1.dsc 1d3e987433d8c92ef88a604f4dcefdb35a86ce73f3eff0157e2e491e5b55b345 4019567 mutt_1.7.0.orig.tar.gz 603ba5bc392ea65666873ff43631a839d3df4c14a55efed4c710216247ac6f7f 249516 mutt_1.7.0-1.debian.tar.xz Files: ed453a23918c578fb3dcb575ef1af756 2165 mail optional mutt_1.7.0-1.dsc 2897069ce71e52bf9549e9317fcb9ffa 4019567 mail optional mutt_1.7.0.orig.tar.gz ccd0d9eb659b94f80e1443bd5f34fa3b 249516 mail optional mutt_1.7.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXw8QSAAoJEDXIyIhyyx7tuncP/0DDZVCKLUEdI2vGnOh2yL/9 4GWWqIUB75mS7UY/HctaQCIQOAUk+gcVP3RKhXWy3WcRh5BAC37Uxmxtq/x/dVrx gOTr7hKPz6TdkhwFN1qSuCZadxvF52+R9b9BjknEsd9UNSq1/q8eDbqKbDxxlbA8 /6hI/AM+U+ZXFMwmb9nOlSfSV3BJcrgyLfw0Y86Ujd65bZHEV6Nz/utAAM8MkUTa Cv7rMCItYxqLr8MA2ocRY/LEtE57b8vA8dQvUb3ql04k5M6EW8d2vWunUIsRWkgB y2QGVnnQTB4EaBAnwVDHD4oqvgeibVbsNi6nsEfEbm5dmq/iYWFRKlD9sUsx0X4Q AaN59b7/ywoWx0MpsvQ/aLxAwZHb/AoVcqE0kEHTRbOIMY9/irkmtvUwdUTRVKpP MG15ZiGZgkoPlGZfVRAn4n9HAJrLVE39xTE1+UiwbCW31BVwyvEDXq1FwqZnpz0I i5+VFFe4ClCzS9RmNfznDbvhc123N+d6AHInhKu7r4pfqoAFe83CXc/SDcvkXOFX N8C/yynMTRpbCcdO7xUcRq1w7GKHvhfSl2m6DLGNN5stETnF32nZEs5AMHediBto 2XJXnytZoxVyt6+QAhjqcAfS9GTt3GKigFjBIEQfLgZwT5fPVs8HdKZ+NC3BsYni mzjcSNaKXMSQjVqgg13K =r0Ww -----END PGP SIGNATURE-----
--- End Message ---
