Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On Sun, Sep 10, 2023 at 09:59:53PM +0200, Sebastian Andrzej Siewior wrote: > Hi Antonio! > > On 2023-09-10 15:57:58 [+0200], Antonio Radici wrote: > > On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > > > Hi Antonio, > > > > > > FWIW, I have done the bookworm-security upload already to > > > security-master, and still working on the bullseye-security one (with > > > plan to release the DSA tonight ideally). > > > > Ack, thanks for the update, I assume this was a particularly serious issue > > that > > had to be handled immediately! > > I pinged Salvatore on IRC about this and he was working on > stable/old-stable fix of the version at the time. So I suggest to help > out and prepare latest upstream from upstream for unstable (which was in > opinion only fixes). > Unfortunately I saw your reply to the bug after performing the update. > I'm sorry if I overstepped here. In the meantime I prepared a pull on > salsa for the changes I made. > As a matter of fact, I noticed that I somehow missed the latest > changelog from the package which I noticed while I tried to open the > pull request. After looking at it again, it looks like I just missed the > changelog entry. > > Once again, I'm sorry for any trouble I may have caused. Hi Sebastian, not a problem at all! It's just that I was unaware! You were much faster than me and that's definitely very good. Thanks a lot for your contribution to Debian, I really appreciate it :)
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Hi Antonio! On 2023-09-10 15:57:58 [+0200], Antonio Radici wrote: > On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > > Hi Antonio, > > > > FWIW, I have done the bookworm-security upload already to > > security-master, and still working on the bullseye-security one (with > > plan to release the DSA tonight ideally). > > Ack, thanks for the update, I assume this was a particularly serious issue > that > had to be handled immediately! I pinged Salvatore on IRC about this and he was working on stable/old-stable fix of the version at the time. So I suggest to help out and prepare latest upstream from upstream for unstable (which was in opinion only fixes). Unfortunately I saw your reply to the bug after performing the update. I'm sorry if I overstepped here. In the meantime I prepared a pull on salsa for the changes I made. As a matter of fact, I noticed that I somehow missed the latest changelog from the package which I noticed while I tried to open the pull request. After looking at it again, it looks like I just missed the changelog entry. Once again, I'm sorry for any trouble I may have caused. Sebastian
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On 2023-09-10 15:57:13 [+0200], Antonio Radici wrote: Hi Antonio, > On Sun, Sep 10, 2023 at 01:47:30PM +0200, Salvatore Bonaccorso wrote: > > Hi Antonio, > > > > On Sun, Sep 10, 2023 at 01:24:10PM +0200, Antonio Radici wrote: > > > On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > > > > Thanks for raising this, I'm uploading the new packages with the fixes > > > > today. > > > > > > apparently someone else did a NMU with the new version and incorrectly > > > closed > > > the bug. > > > > You mean the NMU by Sebastian? > > Yes The new version addressed the CVEs so closing the bug isn't incorrect? > > > > > I reopened the bug because stable needs to be addressed (which I will do > > > today > > > as I just wrote) and then it's probably worth investigating how to > > > integrate > > > those NMU into the git repo > > > > Actually you do not need to reopen. A bug can be closed with mutliple > > versions, that is 2.2.12-0.1 closes it, but as well so does then the > > 2.2.9-1+deb12u1 upload and the 2.0.5-4.1+deb11u3 one. > > > > I think that was not the case several years ago, but nowdays BTS can > > handle that, and will reflect it nicely as well in the version graph. > > > > Or were you meaning something different? > > Ah ok good, then I will add the extra versions if they are not there already Right, here is an example for the bug closed in stable, and experimental. https://bugs.debian.org/1034720 Sebastian
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Hi Antonio, On Sun, Sep 10, 2023 at 03:57:58PM +0200, Antonio Radici wrote: > On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > > Hi Antonio, > > > > FWIW, I have done the bookworm-security upload already to > > security-master, and still working on the bullseye-security one (with > > plan to release the DSA tonight ideally). > > Ack, thanks for the update, I assume this was a particularly serious issue > that > had to be handled immediately! In retrospect, I'm not completely sure, but better to be on the safe side in this case. The NULL pointer dereference flaw reported by Chenyuan Mi is one when composing from a specially crafted draft message, so rather on the harmless side, but the second is when viewing a message with specially crafted headers, leading to a crash. OTOH it is isolated to such an email, when viewing a message with specially crafted headers, see the commit https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0 in particular. I agree that maybe I should have waited for you for comments, which I try to remember to keep in mind for any future occurence. Regards, Salvatore
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On Sun, Sep 10, 2023 at 01:47:30PM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > On Sun, Sep 10, 2023 at 01:24:10PM +0200, Antonio Radici wrote: > > On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > > > Thanks for raising this, I'm uploading the new packages with the fixes > > > today. > > > > apparently someone else did a NMU with the new version and incorrectly > > closed > > the bug. > > You mean the NMU by Sebastian? Yes > > > I reopened the bug because stable needs to be addressed (which I will do > > today > > as I just wrote) and then it's probably worth investigating how to integrate > > those NMU into the git repo > > Actually you do not need to reopen. A bug can be closed with mutliple > versions, that is 2.2.12-0.1 closes it, but as well so does then the > 2.2.9-1+deb12u1 upload and the 2.0.5-4.1+deb11u3 one. > > I think that was not the case several years ago, but nowdays BTS can > handle that, and will reflect it nicely as well in the version graph. > > Or were you meaning something different? Ah ok good, then I will add the extra versions if they are not there already
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > FWIW, I have done the bookworm-security upload already to > security-master, and still working on the bullseye-security one (with > plan to release the DSA tonight ideally). Ack, thanks for the update, I assume this was a particularly serious issue that had to be handled immediately!
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Hi, On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > > On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > > > Source: mutt > > > Version: 2.2.9-1 > > > Severity: grave > > > Tags: security upstream > > > Justification: user security hole > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > > > > Hi, > > > > > > The following vulnerabilities were published for mutt. > > > > > > CVE-2023-4874[0]: > > > | Null pointer dereference when viewing a specially crafted email in > > > | Mutt >1.5.2 <2.2.12 > > > > > > > > > CVE-2023-4875[1]: > > > | Null pointer dereference when composing from a specially crafted > > > | draft message in Mutt >1.5.2 <2.2.12 > > > > > > Make sure to include all three commits referenced from [2], the last > > > one is technically not part of the two CVEs, but another crash found > > > by upstream. > > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > > > https://www.cve.org/CVERecord?id=CVE-2023-4874 > > > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > > > https://www.cve.org/CVERecord?id=CVE-2023-4875 > > > [2] > > > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html > > > > > > Please adjust the affected versions in the BTS as needed. > > > > Thanks for raising this, I'm uploading the new packages with the fixes > > today. > > FWIW, I have done the bookworm-security upload already to > security-master, and still working on the bullseye-security one (with > plan to release the DSA tonight ideally). Here are the debdiffs for those. Regards, Salvatore diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog --- mutt-2.0.5/debian/changelog 2022-12-07 22:39:58.0 +0100 +++ mutt-2.0.5/debian/changelog 2023-09-10 13:53:23.0 +0200 @@ -1,3 +1,14 @@ +mutt (2.0.5-4.1+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix rfc2047 base64 decoding to abort on illegal characters. +(CVE-2023-4874, CVE-2023-4875) (Closes: #1051563) + * Check for NULL userhdrs. (CVE-2023-4875) (Closes: #1051563) + * Fix write_one_header() illegal header check. (CVE-2023-4874) +(Closes: #1051563) + + -- Salvatore Bonaccorso Sun, 10 Sep 2023 13:53:23 +0200 + mutt (2.0.5-4.1+deb11u2) bullseye; urgency=medium * Non-maintainer upload. diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series --- mutt-2.0.5/debian/patches/series2022-12-07 22:39:58.0 +0100 +++ mutt-2.0.5/debian/patches/series2023-09-10 13:53:23.0 +0200 @@ -18,3 +18,6 @@ upstream/Fix-gpgme-crash-when-listing-keys-in-a-public-key-bl.patch upstream/Fix-public-key-block-listing-for-old-versions-of-gpg.patch upstream/Add-a-check-for-key-uids-in-create_recipient_set.patch +upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch +upstream/Check-for-NULL-userhdrs.patch +upstream/Fix-write_one_header-illegal-header-check.patch diff -Nru mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch --- mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch 1970-01-01 01:00:00.0 +0100 +++ mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch 2023-09-10 13:53:23.0 +0200 @@ -0,0 +1,50 @@ +From: Kevin McCarthy +Date: Mon, 4 Sep 2023 12:50:07 +0800 +Subject: Check for NULL userhdrs. +Origin: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875 + +When composing an email, miscellaneous extra headers are stored in a +userhdrs list. Mutt first checks to ensure each header contains at +least a colon character, passes the entire userhdr field (name, colon, +and body) to the rfc2047 decoder, and safe_strdup()'s the result on +the userhdrs list. An empty result would from the decode would result +in a NULL headers being added to list. + +The previous commit removed the possibility of the decoded header +field being empty, but it's prudent to add a check to the strchr +calls, in case there is another unexpected bug resulting in one. + +Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. +--- + sendlib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sendlib.c b/sendlib.c +index c2283972f1d3..763bff4117f2 100644 +--- a/sendlib.c b/sendlib.c +@@ -2418,7 +2418,7 @@ int
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Hi Antonio, On Sun, Sep 10, 2023 at 01:24:10PM +0200, Antonio Radici wrote: > On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > > Thanks for raising this, I'm uploading the new packages with the fixes > > today. > > apparently someone else did a NMU with the new version and incorrectly closed > the bug. You mean the NMU by Sebastian? > I reopened the bug because stable needs to be addressed (which I will do today > as I just wrote) and then it's probably worth investigating how to integrate > those NMU into the git repo Actually you do not need to reopen. A bug can be closed with mutliple versions, that is 2.2.12-0.1 closes it, but as well so does then the 2.2.9-1+deb12u1 upload and the 2.0.5-4.1+deb11u3 one. I think that was not the case several years ago, but nowdays BTS can handle that, and will reflect it nicely as well in the version graph. Or were you meaning something different? Regards, Salvatore
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Hi Antonio, On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > > Source: mutt > > Version: 2.2.9-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerabilities were published for mutt. > > > > CVE-2023-4874[0]: > > | Null pointer dereference when viewing a specially crafted email in > > | Mutt >1.5.2 <2.2.12 > > > > > > CVE-2023-4875[1]: > > | Null pointer dereference when composing from a specially crafted > > | draft message in Mutt >1.5.2 <2.2.12 > > > > Make sure to include all three commits referenced from [2], the last > > one is technically not part of the two CVEs, but another crash found > > by upstream. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > > https://www.cve.org/CVERecord?id=CVE-2023-4874 > > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > > https://www.cve.org/CVERecord?id=CVE-2023-4875 > > [2] > > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html > > > > Please adjust the affected versions in the BTS as needed. > > Thanks for raising this, I'm uploading the new packages with the fixes today. FWIW, I have done the bookworm-security upload already to security-master, and still working on the bullseye-security one (with plan to release the DSA tonight ideally). Regards, Salvatore
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > Thanks for raising this, I'm uploading the new packages with the fixes today. apparently someone else did a NMU with the new version and incorrectly closed the bug. I reopened the bug because stable needs to be addressed (which I will do today as I just wrote) and then it's probably worth investigating how to integrate those NMU into the git repo
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > Source: mutt > Version: 2.2.9-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerabilities were published for mutt. > > CVE-2023-4874[0]: > | Null pointer dereference when viewing a specially crafted email in > | Mutt >1.5.2 <2.2.12 > > > CVE-2023-4875[1]: > | Null pointer dereference when composing from a specially crafted > | draft message in Mutt >1.5.2 <2.2.12 > > Make sure to include all three commits referenced from [2], the last > one is technically not part of the two CVEs, but another crash found > by upstream. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > https://www.cve.org/CVERecord?id=CVE-2023-4874 > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > https://www.cve.org/CVERecord?id=CVE-2023-4875 > [2] > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html > > Please adjust the affected versions in the BTS as needed. Thanks for raising this, I'm uploading the new packages with the fixes today.
Bug#1051563: mutt: CVE-2023-4874 CVE-2023-4875
Source: mutt Version: 2.2.9-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for mutt. CVE-2023-4874[0]: | Null pointer dereference when viewing a specially crafted email in | Mutt >1.5.2 <2.2.12 CVE-2023-4875[1]: | Null pointer dereference when composing from a specially crafted | draft message in Mutt >1.5.2 <2.2.12 Make sure to include all three commits referenced from [2], the last one is technically not part of the two CVEs, but another crash found by upstream. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 https://www.cve.org/CVERecord?id=CVE-2023-4874 [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 https://www.cve.org/CVERecord?id=CVE-2023-4875 [2] http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/56.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore