Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-23 Thread Antonio Radici
On Tue, Jun 23, 2020 at 03:03:06PM +, Joseph Nahmias wrote:
> Package: mutt
> Version: 1.10.1-2.1+deb10u2
> Followup-For: Bug #963107
> 
> Hello,
> 
> I can confirm that this bug bit me as well, and that the listed mitigation
> fixed the problem. Will the upstream fix be backported to Debian 
> stable/buster?
> 

Yeah that's something I'm thinking, I'm not sure though because the package is
still functional :(



Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-23 Thread Joseph Nahmias
Package: mutt
Version: 1.10.1-2.1+deb10u2
Followup-For: Bug #963107

Hello,

I can confirm that this bug bit me as well, and that the listed mitigation
fixed the problem. Will the upstream fix be backported to Debian stable/buster?

Thanks,
--Joe


-- Package-specific info:
Mutt 1.10.1 (2018-07-13)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 4.19.0-9-686-pae (i686)
ncurses: ncurses 6.1.20181013 (compiled with 6.1)
libidn: 1.33 (compiled with 1.33)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/8/lto-wrapper
Target: i686-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-6' 
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-8 
--program-prefix=i686-linux-gnu- --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie 
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto 
--enable-targets=all --enable-multiarch --disable-werror --with-arch-32=i686 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic 
--enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu 
--target=i686-linux-gnu
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-6) 

Configure options: '--build=i686-linux-gnu' '--prefix=/usr' 
'--includedir=\${prefix}/include' '--mandir=\${prefix}/share/man' 
'--infodir=\${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--disable-silent-rules' '--libdir=\${prefix}/lib/i386-linux-gnu' 
'--libexecdir=\${prefix}/lib/i386-linux-gnu' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--with-mailpath=/var/mail' 
'--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' 
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' 
'--enable-sidebar' '--enable-nntp' '--enable-dotlock' '--disable-fmemopen' 
'--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' 
'--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' 
'--with-tokyocabinet' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 
-fdebug-prefix-map=/build/mutt-9S1n1N/mutt-1.10.1=. -fstack-protector-strong 
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 
-fdebug-prefix-map=/build/mutt-9S1n1N/mutt-1.10.1=. -fstack-protector-strong 
-Wformat -Werror=format-security

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  +HAVE_FUTIMENS  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  -HAVE_LIBIDN2  +HAVE_GETSID  
+USE_HCACHE  +USE_SIDEBAR  +USE_COMPRESSED  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"

To contact the developers, please mail to .
To report a bug, please contact the Mutt maintainers via gitlab:
https://gitlab.com/muttmua/mutt/issues


-- System Information:
Debian Release: 10.4
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-9-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages mutt depends on:
ii  libassuan02.5.2-1
ii  libc6 2.28-10
ii  libcom-err2   1.44.5-1+deb10u3
ii  libgnutls30   3.6.7-4+deb10u4
ii  libgpg-error0 1.35-1
ii  libgpgme111.12.0-6
ii  libgssapi-krb5-2  1.17-3
ii  libidn11  1.33-2.2
ii  libk5crypto3  1.17-3
ii  libkrb5-3 1.17-3
ii  libncursesw6  6.1+20181013-2+deb10u2
ii  libsasl2-22.1.27+dfsg-1+deb10u1
ii  libtinfo6 6.1+20181013-2+deb10u2
ii  libtokyocabinet9  1.4.48-12


Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-20 Thread Antonio Radici
tag -1 +pending
thanks

On Sat, Jun 20, 2020 at 08:19:32AM +0200, Antonio Radici wrote:
> On Fri, Jun 19, 2020 at 04:04:37PM -0700, Josh Triplett wrote:
> > On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> > > Package: mutt
> > > Version: 1.14.3-1
> > > Severity: important
> > > 
> > > "important" because it makes a previously working configuration
> > > unusable.
> > > 
> > > The fix for CVE-2020-14093 makes it so that when using a
> > > preauthenticated connection (using `set tunnel` to SSH to the IMAP
> > > server), mutt just prints "Encrypted connection unavailable" and refuses
> > > the connection. An strace shows that mutt successfully runs SSH and gets
> > > the preauthenticated IMAP connection.
> > > 
> > > I do not have any ssl-related options set. Best guess: the default
> > > ssl_starttls=yes makes mutt think it should starttls over preauth, which
> > > it now avoids due to the CVE.
> > 
> > I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
> > connections using `set tunnel` to work again.
> > 
> 
> Created issue https://gitlab.com/muttmua/mutt/-/issues/250

Fix already in git, it will come up with 1.14.4-2



Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-20 Thread Antonio Radici
On Fri, Jun 19, 2020 at 04:04:37PM -0700, Josh Triplett wrote:
> On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> > Package: mutt
> > Version: 1.14.3-1
> > Severity: important
> > 
> > "important" because it makes a previously working configuration
> > unusable.
> > 
> > The fix for CVE-2020-14093 makes it so that when using a
> > preauthenticated connection (using `set tunnel` to SSH to the IMAP
> > server), mutt just prints "Encrypted connection unavailable" and refuses
> > the connection. An strace shows that mutt successfully runs SSH and gets
> > the preauthenticated IMAP connection.
> > 
> > I do not have any ssl-related options set. Best guess: the default
> > ssl_starttls=yes makes mutt think it should starttls over preauth, which
> > it now avoids due to the CVE.
> 
> I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
> connections using `set tunnel` to work again.
> 

Thanks for the report, I'll file a bug upstream.



Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-20 Thread Antonio Radici
On Fri, Jun 19, 2020 at 04:04:37PM -0700, Josh Triplett wrote:
> On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> > Package: mutt
> > Version: 1.14.3-1
> > Severity: important
> > 
> > "important" because it makes a previously working configuration
> > unusable.
> > 
> > The fix for CVE-2020-14093 makes it so that when using a
> > preauthenticated connection (using `set tunnel` to SSH to the IMAP
> > server), mutt just prints "Encrypted connection unavailable" and refuses
> > the connection. An strace shows that mutt successfully runs SSH and gets
> > the preauthenticated IMAP connection.
> > 
> > I do not have any ssl-related options set. Best guess: the default
> > ssl_starttls=yes makes mutt think it should starttls over preauth, which
> > it now avoids due to the CVE.
> 
> I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
> connections using `set tunnel` to work again.
> 

Created issue https://gitlab.com/muttmua/mutt/-/issues/250



Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-19 Thread Josh Triplett
On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> Package: mutt
> Version: 1.14.3-1
> Severity: important
> 
> "important" because it makes a previously working configuration
> unusable.
> 
> The fix for CVE-2020-14093 makes it so that when using a
> preauthenticated connection (using `set tunnel` to SSH to the IMAP
> server), mutt just prints "Encrypted connection unavailable" and refuses
> the connection. An strace shows that mutt successfully runs SSH and gets
> the preauthenticated IMAP connection.
> 
> I do not have any ssl-related options set. Best guess: the default
> ssl_starttls=yes makes mutt think it should starttls over preauth, which
> it now avoids due to the CVE.

I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
connections using `set tunnel` to work again.



Bug#963107: "Encrypted connection unavailable" when using pre-authenticated connection

2020-06-18 Thread Josh Triplett
Package: mutt
Version: 1.14.3-1
Severity: important

"important" because it makes a previously working configuration
unusable.

The fix for CVE-2020-14093 makes it so that when using a
preauthenticated connection (using `set tunnel` to SSH to the IMAP
server), mutt just prints "Encrypted connection unavailable" and refuses
the connection. An strace shows that mutt successfully runs SSH and gets
the preauthenticated IMAP connection.

I do not have any ssl-related options set. Best guess: the default
ssl_starttls=yes makes mutt think it should starttls over preauth, which
it now avoids due to the CVE.

- Josh Triplett

-- Package-specific info:
Mutt 1.14.3 (2020-06-14)
Copyright (C) 1996-2020 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 5.6.0-1-amd64 (x86_64)
ncurses: ncurses 6.2.20200212 (compiled with 6.2)
libidn: 1.33 (compiled with 1.33)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 9.3.0-13' 
--with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-9 
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib 
--with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch 
--disable-werror --with-arch-32=i686 --with-abi=m64 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic 
--enable-offload-targets=nvptx-none=/build/gcc-9-F9gimE/gcc-9-9.3.0/debian/tmp-nvptx/usr,hsa
 --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu 
--host=x86_64-linux-gnu --target=x86_64-linux-gnu 
--with-build-config=bootstrap-lto-lean --enable-link-mutex
Thread model: posix
gcc version 9.3.0 (Debian 9.3.0-13) 

Configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=\${prefix}/include' '--mandir=\${prefix}/share/man' 
'--infodir=\${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--disable-option-checking' '--disable-silent-rules' 
'--libdir=\${prefix}/lib/x86_64-linux-gnu' 
'--libexecdir=\${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--with-mailpath=/var/mail' 
'--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' 
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' 
'--enable-sidebar' '--enable-nntp' '--enable-dotlock' '--disable-fmemopen' 
'--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' 
'--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' 
'--with-tokyocabinet' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 
-fdebug-prefix-map=/build/mutt-30SNLx/mutt-1.14.3=. -fstack-protector-strong 
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 
-fdebug-prefix-map=/build/mutt-30SNLx/mutt-1.14.3=. -fstack-protector-strong 
-Wformat -Werror=format-security

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  +HAVE_FUTIMENS  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  -HAVE_LIBIDN2  +HAVE_GETSID  
+USE_HCACHE  
+USE_SIDEBAR  +USE_COMPRESSED  +USE_INOTIFY  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"

To contact the developers, please mail to .
To report a bug, please contact the Mutt maintainers via gitlab:
https://gitlab.com/muttmua/mutt/issues


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-1-amd64 (SMP