Package: neomutt
Version: 20201127+dfsg.1-1.2
Severity: normal
Tags: upstream
X-Debbugs-Cc: debbug.neom...@sideload.33mail.com
The “Date:” field is added after the user instructs neomutt to send
their message, so there is no opportunity for the user to edit the
timestamp of the message. Perhaps rightly so, for RFC-compliance. But
the timestamp that mutt generates exposes the timezone of the
author. It’s too much information. E.g. this reveals to the recipient
and all mail servers enroute that the sender is physically in the
central Europe timezone:
Date: Fri, 12 Aug 2022 13:21:24 +0200
This exposes the presence of senders in the eastern US timezone:
Date: Fri, 12 Aug 2022 13:21:24 -0400
It would be surprising if Google or Microsoft did not exploit that
information in some way. For privacy, users need control over the
format of that date. The RFC likely dictates the format, but the time
should be expressed in UTC. And UTC should in fact be the *default*
timezone as well.
If a user really wants to reveal the timezone they are in for some
reason (i.e. the status quo), perhaps there should be a new config
parameter for that case. The parameter could be an enum that enables
you to name a timezone, or perhaps it could be a simple boolean like
“compose_timezone_local” or “compose_timezone_zulu”.
FWIW, it’s perhaps also worth mentioning that it might be useful to be
able to dynamically select the timezone of the /recipient/, as a
courtesy to them in cases where the recipient’s timezone is known by
the sender. Of course that brings in a bit of complexity.
But in any case, the current behavior is a security issue because
confidentiality is compromized.
-- Package-specific info:
NeoMutt 20201127
Copyright (C) 1996-2020 Michael R. Elkins and others.
NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'.
NeoMutt is free software, and you are welcome to redistribute it
under certain conditions; type 'neomutt -vv' for details.
System: Linux 5.10.0-16-amd64 (x86_64)
ncurses: ncurses 6.2.20201114 (compiled with 6.2.20201114)
libidn: 1.33 (compiled with 1.33)
GPGME: 1.14.0-unknown
GnuTLS: 3.7.1
libnotmuch: 5.3.0
storage: tokyocabinet
Configure options: --build=x86_64-linux-gnu --prefix=/usr
{--includedir=${prefix}/include} {--mandir=${prefix}/share/man}
{--infodir=${prefix}/share/info} --sysconfdir=/etc --localstatedir=/var
--disable-option-checking --disable-silent-rules
{--libdir=${prefix}/lib/x86_64-linux-gnu}
{--libexecdir=${prefix}/lib/x86_64-linux-gnu} --disable-maintainer-mode
--disable-dependency-tracking --mandir=/usr/share/man --libexecdir=/usr/libexec
--with-mailpath=/var/mail --gpgme --lua --notmuch --with-ui --gnutls --gss
--idn --mixmaster --sasl --tokyocabinet --sqlite --autocrypt
Compilation CFLAGS: -g -O2
-ffile-prefix-map=/build/neomutt-aFsTyZ/neomutt-20201127+dfsg.1=.
-fstack-protector-strong -Wformat -Werror=format-security -std=c99
-D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -I/usr/include
-I/usr/include/lua5.4 -DNCURSES_WIDECHAR -isystem /usr/include/mit-krb5
Default options:
+attach_headers_color +compose_to_sender +compress +cond_date +debug
+encrypt_to_self +forgotten_attachments +forwref +ifdef +imap +index_color
+initials +limit_current_thread +multiple_fcc +nested_if +new_mail +nntp +pop
+progress +quasi_delete +regcomp +reply_with_xorig +sensible_browser +sidebar
+skip_quoted +smtp +status_color +timeout +tls_sni +trash
Compile options:
+autocrypt +bkgdset +color +curs_set +fcntl -flock -fmemopen +futimens
+getaddrinfo +gnutls +gpgme +gss +hcache -homespool +idn +inotify
-locales_hack +lua +meta +mixmaster +nls +notmuch -openssl +pgp +regex +sasl
+smime +sqlite +start_color +sun_attachment +typeahead
MAILPATH="/var/mail"
MIXMASTER="mixmaster"
PKGDATADIR="/usr/share/neomutt"
SENDMAIL="/usr/sbin/sendmail"
SYSCONFDIR="/etc"
To learn more about NeoMutt, visit: https://neomutt.org
If you find a bug in NeoMutt, please raise an issue at:
https://github.com/neomutt/neomutt/issues
or send an email to:
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'testing'), (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-16-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages neomutt depends on:
ii libc6 2.31-13+deb11u3
ii libgnutls30 3.7.1-5+deb11u1
ii libgpg-error0 1.38-2
ii libgpgme111.14.0-1+b2
ii libgssapi-krb5-2 1.18.3-6+deb11u1
ii libidn11 1.33-3
ii liblua5.4-0 5.4.2-2
ii libncursesw6 6.2+20201114-2
ii libnotmuch5 0.31.4-2
ii libsasl2-22.1.27+dfsg-2.1+deb11u1
ii