Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: j...@inutil.org, car...@debian.org
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Same as bugs.debian.org/975514, except that one is for mutt, this one for neomutt. The patch is the same and it addresses the same CVE (CVE-2020-28896). Security team is aware, they suggested to go through the route of buster-updates rather than DSA for this particular issue. debdiff is attached, I've also done an upload already. [ Impact ] Prevent login information to be sent over an encrypted connection when certain conditions happen. [ Tests ] (What automated or manual tests cover the affected code?) [ Risks ] (Discussion of the risks involved. E.g. code is trivial or complex, alternatives available.) [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] See the "Reason" section. [ Other info ] (Anything else the release team should know.) -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru neomutt-20180716+dfsg.1/debian/changelog neomutt-20180716+dfsg.1/debian/changelog --- neomutt-20180716+dfsg.1/debian/changelog 2020-06-20 07:42:44.000000000 +0200 +++ neomutt-20180716+dfsg.1/debian/changelog 2020-11-24 07:55:28.000000000 +0100 @@ -1,3 +1,11 @@ +neomutt (20180716+dfsg.1-1+deb10u2) buster; urgency=medium + + * debian/patches: + + security/CVE-2020-28896.patch: handle the relevant CVE to stop sending + login information over an encrypted connections in certain conditions. + + -- Antonio Radici <anto...@debian.org> Tue, 24 Nov 2020 07:55:28 +0100 + neomutt (20180716+dfsg.1-1+deb10u1) buster-security; urgency=high * debian/patches: diff -Nru neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch --- neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 1970-01-01 01:00:00.000000000 +0100 +++ neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 2020-11-24 07:55:28.000000000 +0100 @@ -0,0 +1,39 @@ +From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy <ke...@8t8.us> +Date: Mon, 16 Nov 2020 10:20:21 -0800 +Subject: [PATCH] Ensure IMAP connection is closed after a connection error. + +During connection, if the server provided an illegal initial response, +Mutt "bailed", but did not actually close the connection. The calling +code unfortunately relied on the connection status to decide to +continue with authentication, instead of checking the "bail" return +value. + +This could result in authentication credentials being sent over an +unencrypted connection, without $ssl_force_tls being consulted. + +Fix this by strictly closing the connection on any invalid response +during connection. The fix is intentionally small, to ease +backporting. A better fix would include removing the 'err_close_conn' +label, and perhaps adding return value checking in the caller (though +this change obviates the need for that). + +This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for +reporting the problem, and providing test cases to reproduce. +--- + imap/imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/imap/imap.c ++++ b/imap/imap.c +@@ -1110,9 +1110,9 @@ + + #ifdef USE_SSL + err_close_conn: +- imap_close_connection(idata); + #endif + bail: ++ imap_close_connection(idata); + FREE(&idata->capstr); + return -1; + } diff -Nru neomutt-20180716+dfsg.1/debian/patches/series neomutt-20180716+dfsg.1/debian/patches/series --- neomutt-20180716+dfsg.1/debian/patches/series 2020-06-20 07:42:44.000000000 +0200 +++ neomutt-20180716+dfsg.1/debian/patches/series 2020-11-24 07:55:28.000000000 +0100 @@ -4,3 +4,4 @@ misc/smime.rc.patch security/CVE-2020-14093.patch security/handle-starttls.patch +security/CVE-2020-28896.patch