Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mutt: CVE-2022-1328

Related Vulnerabilities: CVE-2022-1328  

Source

Debian Bug report logs - #1009734
mutt: CVE-2022-1328

version graph

Package: src:mutt; Maintainer for src:mutt is Mutt maintainers <mutt@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 15 Apr 2022 19:30:02 UTC

Severity: important

Tags: security, upstream

Found in versions mutt/1.10.1-2.1+deb10u5, mutt/2.1.4-1, mutt/2.0.5-4.1, mutt/1.10.1-1

Fixed in version mutt/2.2.3-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Mutt maintainers <mutt@packages.debian.org>:
Bug#1009734; Package src:mutt. (Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Mutt maintainers <mutt@packages.debian.org>. (Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mutt: CVE-2022-1328
Date: Fri, 15 Apr 2022 21:27:54 +0200
Source: mutt
Version: 2.1.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.0.5-4.1
Control: found -1 1.10.1-2.1+deb10u5
Control: found -1 1.10.1-1
Control: clone -1 -2
Control: reassign -2 src:neomutt 20211029+dfsg1-1
Control: retitle -2 neomutt: CVE-2022-1328

Hi,

The following vulnerability was published for mutt, the issue
similarly has it's sister in neomutt, so cloning the bug, [3] refers
to the fix in neomutt.

CVE-2022-1328[0]:
| Buffer Overflow in uudecoder in Mutt affecting all versions starting
| from 0.94.13 before 2.2.3 allows read past end of input line


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1328
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1328
[1] https://gitlab.com/muttmua/mutt/-/issues/404
[2] https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
[3] https://gitlab.com/neomutt/neomutt/-/commit/ee7cb4e461c1cdf0ac14817b03687d5908b85f84

Regards,
Salvatore

Marked as found in versions mutt/2.0.5-4.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 15 Apr 2022 19:30:04 GMT) (full text, mbox, link).

Marked as found in versions mutt/1.10.1-2.1+deb10u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 15 Apr 2022 19:30:05 GMT) (full text, mbox, link).

Marked as found in versions mutt/1.10.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 15 Apr 2022 19:30:05 GMT) (full text, mbox, link).

Bug 1009734 cloned as bug 1009735 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 15 Apr 2022 19:30:06 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 16 Apr 2022 06:51:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 16 Apr 2022 06:51:05 GMT) (full text, mbox, link).

Message #18 received at 1009734-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 1009734-done@bugs.debian.org
Cc: mutt@packages.debian.org, antonio@debian.org
Subject: ftpmaster@ftp-master.debian.org: Accepted mutt 2.2.3-1 (source) into unstable
Date: Sat, 16 Apr 2022 08:47:43 +0200
Source: mutt
Source-Version: 2.2.3-1

Fixed with the unstable upload.

----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Apr 2022 23:17:39 +0200
Source: mutt
Architecture: source
Version: 2.2.3-1
Distribution: unstable
Urgency: medium
Maintainer: Mutt maintainers <mutt@packages.debian.org>
Changed-By: Antonio Radici <antonio@debian.org>
Changes:
 mutt (2.2.3-1) unstable; urgency=medium
 .
   * New upstream release.
     + includes fix for CVE-2022-1328.
   * debian/patches:
     + all refreshed.
     + removed upstream/1001013-smtp-auth-regression.patch, already upstream.
Checksums-Sha1:
 7b4763e744bb3a8161568c5cc6d8c41c817e86d1 2309 mutt_2.2.3-1.dsc
 ebf384d7c97b3f84412e195dc4d6c32052bf9999 5509344 mutt_2.2.3.orig.tar.gz
 8da4bdb0991e6e673fcfd08d8f75fa69cb3fe769 833 mutt_2.2.3.orig.tar.gz.asc
 b15b59bfa2c2775f8faa754b7519ff1f48ad22c1 61420 mutt_2.2.3-1.debian.tar.xz
 86f25174b293580f4d8242cf20ac9b73d616507e 8124 mutt_2.2.3-1_amd64.buildinfo
Checksums-Sha256:
 4e77383f2f965937991dae7350db6ad2cfc3a10fdb200fa34f7ac16d4aed9494 2309 mutt_2.2.3-1.dsc
 978addcdab454f447ed7d1de84b5767e714c30714285bf82e4a1745071d18d89 5509344 mutt_2.2.3.orig.tar.gz
 dd2b9df1592a12913da343df1795164b550a1bd48a4b7914fa5d98d873fd8963 833 mutt_2.2.3.orig.tar.gz.asc
 bd8b2db752e2872d8fe3fc7486a2a6e1d43278f83f0842f596794cfdcf6c1798 61420 mutt_2.2.3-1.debian.tar.xz
 b6e5b1a13fa0462de62429c51a99df762b8a7f6e44bbbac25fa21f6405d4316f 8124 mutt_2.2.3-1_amd64.buildinfo
Files:
 252b4b59770c63877a60bafbae258249 2309 mail optional mutt_2.2.3-1.dsc
 a4c1a81d77a2818352f399e1380fe8de 5509344 mail optional mutt_2.2.3.orig.tar.gz
 479aa9b477a198f732fb9414e18684ba 833 mail optional mutt_2.2.3.orig.tar.gz.asc
 f1521b3b670a7b45afc5b6a1ff17865d 61420 mail optional mutt_2.2.3-1.debian.tar.xz
 9c71ea47b93e0a4bbedae3fb87da418b 8124 mail optional mutt_2.2.3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAmJZ5s8THGFudG9uaW9A
ZGViaWFuLm9yZwAKCRA1yMiIcsse7fhWEACMuO/QMaVW7U163JSP05f9evqSn+QI
GibwZJOhCaNw/UU7ma6ug/fzd7t0MYFzInOiienKUyRdPOOTpDnSTLC91j0YxWyf
wy+dgOhzz6TGTJngRUwEKWwzMlTAgNX7QQlxzyM8cQwH7sNWYRS91OLNKlF9sY1I
wUgqmhFCvbWNdXn/VPKmzAT7mAWuRT8J6QPLaOIRHya3B5YNOfUmaq0u+tW8G7F2
yQ94ag3rwEzpEqGQVcCC4whiaB0tQ6kL6WjBFcnre6DDI0uYjLFM/1fq5L17MhSq
eJUDWxttKCTQdYMGhw5fLF7PTNLU/C5wLcqvViy8x0OK2jsh5INGszFpVTF7zq1o
/UD9cfETraQAacsOaW3LcyYJZWnZIwYW/HPZFljAOi2Hz5Wa6ATcfE82oXS1r/os
PQ0x8nfoxwn7vGuaqAUU98+RoYxRV+EOeB1HUaLRLYrKBS0s+cpYpMJ4AzFtMJnI
n1AkYEDn6LTYBjkeYRdZwcT3j60JXk7DJTNXAvCO859J4ll0NAFsvM9bYCxwOGRr
BBdNSjR2jGpXkvLIZK2kzCL68YzbJJOK6Fz70gbxyN4CQEr/z6XkgD2IMOyb52LZ
LgO7fP8imwSh66C/ye8t3m+Az9V+0Sd7MJy2wAYoUOCxTb1yiUr6hxAJQrGfho6l
ln9m321qTN3xpA==
=OKzf
-----END PGP SIGNATURE-----


----- End forwarded message -----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 16 13:10:08 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started