Debian Bug report logs -
#1009734
mutt: CVE-2022-1328
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 15 Apr 2022 19:30:02 UTC
Severity: important
Tags: security, upstream
Found in versions mutt/1.10.1-2.1+deb10u5, mutt/2.1.4-1, mutt/2.0.5-4.1, mutt/1.10.1-1
Fixed in version mutt/2.2.3-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Mutt maintainers <mutt@packages.debian.org>
:
Bug#1009734
; Package src:mutt
.
(Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Mutt maintainers <mutt@packages.debian.org>
.
(Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mutt
Version: 2.1.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.0.5-4.1
Control: found -1 1.10.1-2.1+deb10u5
Control: found -1 1.10.1-1
Control: clone -1 -2
Control: reassign -2 src:neomutt 20211029+dfsg1-1
Control: retitle -2 neomutt: CVE-2022-1328
Hi,
The following vulnerability was published for mutt, the issue
similarly has it's sister in neomutt, so cloning the bug, [3] refers
to the fix in neomutt.
CVE-2022-1328[0]:
| Buffer Overflow in uudecoder in Mutt affecting all versions starting
| from 0.94.13 before 2.2.3 allows read past end of input line
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1328
[1] https://gitlab.com/muttmua/mutt/-/issues/404
[2] https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
[3] https://gitlab.com/neomutt/neomutt/-/commit/ee7cb4e461c1cdf0ac14817b03687d5908b85f84
Regards,
Salvatore
Marked as found in versions mutt/2.0.5-4.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).
Marked as found in versions mutt/1.10.1-2.1+deb10u5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Fri, 15 Apr 2022 19:30:05 GMT) (full text, mbox, link).
Marked as found in versions mutt/1.10.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Fri, 15 Apr 2022 19:30:05 GMT) (full text, mbox, link).
Bug 1009734 cloned as bug 1009735
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Fri, 15 Apr 2022 19:30:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Sat, 16 Apr 2022 06:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 16 Apr 2022 06:51:05 GMT) (full text, mbox, link).
Message #18 received at 1009734-done@bugs.debian.org (full text, mbox, reply):
Source: mutt
Source-Version: 2.2.3-1
Fixed with the unstable upload.
----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Apr 2022 23:17:39 +0200
Source: mutt
Architecture: source
Version: 2.2.3-1
Distribution: unstable
Urgency: medium
Maintainer: Mutt maintainers <mutt@packages.debian.org>
Changed-By: Antonio Radici <antonio@debian.org>
Changes:
mutt (2.2.3-1) unstable; urgency=medium
.
* New upstream release.
+ includes fix for CVE-2022-1328.
* debian/patches:
+ all refreshed.
+ removed upstream/1001013-smtp-auth-regression.patch, already upstream.
Checksums-Sha1:
7b4763e744bb3a8161568c5cc6d8c41c817e86d1 2309 mutt_2.2.3-1.dsc
ebf384d7c97b3f84412e195dc4d6c32052bf9999 5509344 mutt_2.2.3.orig.tar.gz
8da4bdb0991e6e673fcfd08d8f75fa69cb3fe769 833 mutt_2.2.3.orig.tar.gz.asc
b15b59bfa2c2775f8faa754b7519ff1f48ad22c1 61420 mutt_2.2.3-1.debian.tar.xz
86f25174b293580f4d8242cf20ac9b73d616507e 8124 mutt_2.2.3-1_amd64.buildinfo
Checksums-Sha256:
4e77383f2f965937991dae7350db6ad2cfc3a10fdb200fa34f7ac16d4aed9494 2309 mutt_2.2.3-1.dsc
978addcdab454f447ed7d1de84b5767e714c30714285bf82e4a1745071d18d89 5509344 mutt_2.2.3.orig.tar.gz
dd2b9df1592a12913da343df1795164b550a1bd48a4b7914fa5d98d873fd8963 833 mutt_2.2.3.orig.tar.gz.asc
bd8b2db752e2872d8fe3fc7486a2a6e1d43278f83f0842f596794cfdcf6c1798 61420 mutt_2.2.3-1.debian.tar.xz
b6e5b1a13fa0462de62429c51a99df762b8a7f6e44bbbac25fa21f6405d4316f 8124 mutt_2.2.3-1_amd64.buildinfo
Files:
252b4b59770c63877a60bafbae258249 2309 mail optional mutt_2.2.3-1.dsc
a4c1a81d77a2818352f399e1380fe8de 5509344 mail optional mutt_2.2.3.orig.tar.gz
479aa9b477a198f732fb9414e18684ba 833 mail optional mutt_2.2.3.orig.tar.gz.asc
f1521b3b670a7b45afc5b6a1ff17865d 61420 mail optional mutt_2.2.3-1.debian.tar.xz
9c71ea47b93e0a4bbedae3fb87da418b 8124 mail optional mutt_2.2.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAmJZ5s8THGFudG9uaW9A
ZGViaWFuLm9yZwAKCRA1yMiIcsse7fhWEACMuO/QMaVW7U163JSP05f9evqSn+QI
GibwZJOhCaNw/UU7ma6ug/fzd7t0MYFzInOiienKUyRdPOOTpDnSTLC91j0YxWyf
wy+dgOhzz6TGTJngRUwEKWwzMlTAgNX7QQlxzyM8cQwH7sNWYRS91OLNKlF9sY1I
wUgqmhFCvbWNdXn/VPKmzAT7mAWuRT8J6QPLaOIRHya3B5YNOfUmaq0u+tW8G7F2
yQ94ag3rwEzpEqGQVcCC4whiaB0tQ6kL6WjBFcnre6DDI0uYjLFM/1fq5L17MhSq
eJUDWxttKCTQdYMGhw5fLF7PTNLU/C5wLcqvViy8x0OK2jsh5INGszFpVTF7zq1o
/UD9cfETraQAacsOaW3LcyYJZWnZIwYW/HPZFljAOi2Hz5Wa6ATcfE82oXS1r/os
PQ0x8nfoxwn7vGuaqAUU98+RoYxRV+EOeB1HUaLRLYrKBS0s+cpYpMJ4AzFtMJnI
n1AkYEDn6LTYBjkeYRdZwcT3j60JXk7DJTNXAvCO859J4ll0NAFsvM9bYCxwOGRr
BBdNSjR2jGpXkvLIZK2kzCL68YzbJJOK6Fz70gbxyN4CQEr/z6XkgD2IMOyb52LZ
LgO7fP8imwSh66C/ye8t3m+Az9V+0Sd7MJy2wAYoUOCxTb1yiUr6hxAJQrGfho6l
ln9m321qTN3xpA==
=OKzf
-----END PGP SIGNATURE-----
----- End forwarded message -----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Apr 16 13:10:08 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.