Package: mutt-wizard Version: 3.3.1-2 Severity: important
The following guard is used towards the top of mw-mailsync: pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync will not run."; exit ;} This is inadequate, because USER and LOGNAME might not be defined in the running environment even if the user is logged in. For example, in a container context: conf=/some/path/to/stick/muttwizard/conf/in podman run --rm -ti \ --mount type=bind,ro=false,chown=true,src=$conf,dst=$HOME \ mutt-wizard \ neomutt (where 'mutt-wizard' is the name of a debian:bookworm container with mutt-wizard and its dependencies installed.) Furthermore, the behaviour when this fails - ${USER:=$LOGNAME} expands to the empty string, so the script invokes "pgrep -u >/dev/null", which is at least benign and just dumps the pgrep invocation output on the user's terminal. (Why run mutt-wizard in a container? To mitigate against it not isolating its own configuration from any pre-existing configuration belonging to the user. See: <https://github.com/LukeSmithxyz/mutt-wizard/issues/917>) -- System Information: Debian Release: 12.1 APT prefers stable APT policy: (990, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-10-amd64 (SMP w/24 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mutt-wizard depends on: ii curl 7.88.1-10 ii isync 1.4.4-5 ii msmtp 1.8.23-1 ii neomutt 20220429+dfsg1-4.1 ii pass 1.7.4-6 ii xdg-utils 1.1.3-4.1 Versions of packages mutt-wizard recommends: ii abook 0.6.1-2+b1 ii cron 3.0pl1-162 ii lynx 2.9.0dev.12-1 ii notmuch 0.37-1+b1 ii urlview 0.9-23.1 Versions of packages mutt-wizard suggests: pn links2 <none> pn mpop <none> ii mpv 0.35.1-4 ii w3m 0.5.3+git20230121-2 pn zathura <none> -- no debconf information -- 👱🏻 Jonathan Dowland ✎ j...@dow.land 🔗 https://jmtd.net