Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139927,
regarding trixie-pu: package mutt/2.2.13-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:mutt
User: [email protected]
Usertags: pu
Fixes a number of low impact security issues. All tests in debusine
are fine and I've been using this update since a few days myself
without any issues. Debdiff below.
Cheers,
Moritz
diff -Nru mutt-2.2.13/debian/changelog mutt-2.2.13/debian/changelog
--- mutt-2.2.13/debian/changelog 2024-07-27 11:23:32.000000000 +0200
+++ mutt-2.2.13/debian/changelog 2026-06-11 23:05:00.000000000 +0200
@@ -1,3 +1,10 @@
+mutt (2.2.13-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862
+ CVE-2026-43863 CVE-2026-43864 (Closes: #1135699)
+
+ -- Moritz Mühlenhoff <[email protected]> Thu, 11 Jun 2026 23:05:00 +0200
+
mutt (2.2.13-1) unstable; urgency=medium
* New upstream release.
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch
mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch
1970-01-01 01:00:00.000000000 +0100
+++ mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch
2026-06-11 15:11:33.000000000 +0200
@@ -0,0 +1,16 @@
+From 834c5a2ed0479e51e8662a31caed129f136f4805 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <[email protected]>
+Date: Sat, 18 Apr 2026 22:08:19 +0800
+Subject: [PATCH] Fix IMAP auth_cram MD5 digest of secret to use memcpy().
+
+--- mutt-2.2.13.orig/imap/auth_cram.c
++++ mutt-2.2.13/imap/auth_cram.c
+@@ -149,7 +149,7 @@ static void hmac_md5 (const char* passwo
+ if (secret_len > MD5_BLOCK_LEN)
+ {
+ md5_buffer (password, secret_len, hash_passwd);
+- strfcpy ((char*) secret, (char*) hash_passwd, MD5_DIGEST_LEN);
++ memcpy(secret, hash_passwd, MD5_DIGEST_LEN);
+ secret_len = MD5_DIGEST_LEN;
+ }
+ else
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43861.patch
mutt-2.2.13/debian/patches/CVE-2026-43861.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43861.patch 1970-01-01
01:00:00.000000000 +0100
+++ mutt-2.2.13/debian/patches/CVE-2026-43861.patch 2026-06-11
15:12:11.000000000 +0200
@@ -0,0 +1,18 @@
+From 12f54fe3b61f761c096fe95e95d5e3072af00ed2 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <[email protected]>
+Date: Sat, 18 Apr 2026 22:40:46 +0800
+Subject: [PATCH] Check for embedded nul in url_pct_decode().
+
+--- mutt-2.2.13.orig/url.c
++++ mutt-2.2.13/url.c
+@@ -60,7 +60,9 @@ static int url_pct_decode (char *s)
+ if (s[1] && s[2] &&
+ isxdigit ((unsigned char) s[1]) &&
+ isxdigit ((unsigned char) s[2]) &&
+- hexval (s[1]) >= 0 && hexval (s[2]) >= 0)
++ hexval(s[1]) >= 0 && hexval(s[2]) >= 0 &&
++ // check for embedded nul
++ (hexval(s[1]) > 0 || hexval(s[2]) > 0))
+ {
+ *d++ = (hexval (s[1]) << 4) | (hexval (s[2]));
+ s += 2;
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43862.patch
mutt-2.2.13/debian/patches/CVE-2026-43862.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43862.patch 1970-01-01
01:00:00.000000000 +0100
+++ mutt-2.2.13/debian/patches/CVE-2026-43862.patch 2026-06-11
15:12:42.000000000 +0200
@@ -0,0 +1,41 @@
+From f547a849cdacb512800a5f477c27de217e1c8151 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <[email protected]>
+Date: Sat, 18 Apr 2026 22:36:37 +0800
+Subject: [PATCH] Fix imap_auth_gss() security level size check and buf_size
+ type.
+
+--- mutt-2.2.13.orig/imap/auth_gss.c
++++ mutt-2.2.13/imap/auth_gss.c
+@@ -108,7 +108,7 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+ int cflags;
+ OM_uint32 maj_stat, min_stat;
+ BUFFER *buf1 = NULL, *buf2 = NULL;
+- unsigned long buf_size;
++ uint32_t buf_size;
+ int rc, retval = IMAP_AUTH_FAILURE;
+
+ if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
+@@ -259,6 +259,14 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+ }
+ dprint (2, (debugfile, "Credential exchange complete\n"));
+
++ if (send_token.length < 4)
++ {
++ /* TODO: convert to muttdbg() in master branch merge */
++ dprint(2, (debugfile, "Truncated security level data\n"));
++ gss_release_buffer(&min_stat, &send_token);
++ goto err_abort_cmd;
++ }
++
+ /* first octet is security levels supported. We want NONE */
+ #ifdef DEBUG
+ server_conf_flags = ((char*) send_token.value)[0];
+@@ -272,7 +280,7 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+
+ /* we don't care about buffer size if we don't wrap content. But here it is
*/
+ ((char*) send_token.value)[0] = 0;
+- buf_size = ntohl (*((long *) send_token.value));
++ buf_size = ntohl(*((uint32_t *) send_token.value));
+ gss_release_buffer (&min_stat, &send_token);
+ dprint (2, (debugfile, "Unwrapped security level flags: %c%c%c\n",
+ server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43863.patch
mutt-2.2.13/debian/patches/CVE-2026-43863.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43863.patch 1970-01-01
01:00:00.000000000 +0100
+++ mutt-2.2.13/debian/patches/CVE-2026-43863.patch 2026-06-11
15:14:23.000000000 +0200
@@ -0,0 +1,16 @@
+From fdc04a171777327218a1e78db504926c388b48c4 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <[email protected]>
+Date: Sat, 18 Apr 2026 21:54:34 +0800
+Subject: [PATCH] Fix infinite loop in gpgme data_object_to_stream().
+
+--- mutt-2.2.13.orig/crypt-gpgme.c
++++ mutt-2.2.13/crypt-gpgme.c
+@@ -742,7 +742,7 @@ static int data_object_to_stream (gpgme_
+ return -1;
+ }
+
+- while ((nread = gpgme_data_read (data, buf, sizeof (buf))))
++ while ((nread = gpgme_data_read(data, buf, sizeof (buf))) > 0)
+ {
+ /* fixme: we are not really converting CRLF to LF but just
+ skipping CR. Doing it correctly needs a more complex logic */
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43864.patch
mutt-2.2.13/debian/patches/CVE-2026-43864.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43864.patch 1970-01-01
01:00:00.000000000 +0100
+++ mutt-2.2.13/debian/patches/CVE-2026-43864.patch 2026-06-11
15:14:56.000000000 +0200
@@ -0,0 +1,16 @@
+From ebfa2969042d89303d15334193fcc32866c8a8df Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <[email protected]>
+Date: Sat, 18 Apr 2026 21:41:23 +0800
+Subject: [PATCH] Fix NULL dereference in show_sig_summary().
+
+--- mutt-2.2.13.orig/crypt-gpgme.c
++++ mutt-2.2.13/crypt-gpgme.c
+@@ -1425,7 +1425,7 @@ static int show_sig_summary (unsigned lo
+
+ if ((sum & GPGME_SIGSUM_KEY_EXPIRED))
+ {
+- time_t at = key->subkeys->expires ? key->subkeys->expires : 0;
++ time_t at = (key && key->subkeys) ? key->subkeys->expires : 0;
+ if (at)
+ {
+ state_puts (_("Warning: The key used to create the "
diff -Nru mutt-2.2.13/debian/patches/series mutt-2.2.13/debian/patches/series
--- mutt-2.2.13/debian/patches/series 2024-07-27 11:23:32.000000000 +0200
+++ mutt-2.2.13/debian/patches/series 2026-06-11 15:14:44.000000000 +0200
@@ -11,3 +11,8 @@
misc/gpg.rc-paths.patch
misc/smime.rc.patch
upstream/528233-readonly-open.patch
+CVE-2026-43859_CVE-2026-43860.patch
+CVE-2026-43861.patch
+CVE-2026-43862.patch
+CVE-2026-43863.patch
+CVE-2026-43864.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---