Opened 16 years ago

Closed 16 years ago

Last modified 15 years ago

#2072 closed task (fixed)

Mutt 1.5.16

Reported by: Ag. Hatzimanikas Owned by: dnicholson@…
Priority: normal Milestone: 6.3
Component: BOOK Version: SVN
Severity: normal Keywords:


Version increment.

This version is a snapshot of the recent development activity and also fixes a buffer overflow that could be triggered by a malicious IMAP server.

Description. Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and possibly arbitrary code execution with the privs. of the user running mutt. Note that a user must visit a malicious IMAP server in order to be affected by this. Reference.

This affects all the versions of Mutt (stable) and earlier. So users with the stable version they also have to upgrade to the (current stable). A simple note to the book is sufficient. This could be placed for instance into the special note that already exists.

Another thing I would like to mention. Mutt install it's documentation into ${prefix}/doc/mutt by default. Now that's not bad,since there is already a symlink /usr/doc -> /usr/share/doc/ created earlier by lfs,but just for consistency,we can tell mutt to install the docs into the /usr/share/doc by using --with-docdir=/usr/share/doc/mutt configure switch,or --with-docdir=/usr/share/doc/mutt-$version. I tagged this ticket as blocker,since I believe it should be fixed before the release.

Attachments (2)

blfs-mutt-1.5.16.patch (8.4 KB ) - added by dnicholson@… 16 years ago.
Mutt-1.5.16 update
mutt_with_GnuTLS.diff (1.2 KB ) - added by Ag. Hatzimanikas 15 years ago.
Mutt linked against GnuTLS

Download all attachments as: .zip

Change History (28)

comment:1 by Randy McMurchy, 16 years ago

Severity: blockernormal

I'm not sure blocker is required here. Best I can tell, the bug is only found in stable versions of Mutt. The book uses a dev version, so this bug shouldn't affect us. Right?

comment:2 by Ag. Hatzimanikas, 16 years ago

No,this affect all the versions of mutt and earlier,so we are vulnerable.

comment:3 by Randy McMurchy, 16 years ago

I'm not trying to argue here, I'm trying to understand.

You say it affects 1.4.x and earlier. BLFS is at 1.5.11. What am I missing here?

comment:4 by Ag. Hatzimanikas, 16 years ago

Whoops,forgive me for my poor english,sometimes it's difficult to think when you have an angry baby crying in your arms. And yes it affects and the development version. Sorry.

comment:5 by dnicholson@…, 16 years ago

If we want, we can just patch the vulnerability for now. I know we're already using a development version, but maybe we don't want to add in all these other new commits until someone's played with them for a while.;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540;hp=cc548718c41f8ca18a217b675d7c70e1184c158d

(That's exactly what was committed to the 1.4 branch).

comment:6 by Ag. Hatzimanikas, 16 years ago

Dan the patch for 1.5.11 submitted. Please and, 'when and if' you update the book,don't forget the --with-docdir=/usr/share/doc/mutt switch.

comment:7 by dnicholson@…, 16 years ago

Owner: changed from blfs-book@… to dnicholson@…
Status: newassigned

Whoops. I forgot all about this bug. Thanks for submitting the patch, Ag. Should go in the the docdir fix some time today.

comment:8 by dnicholson@…, 16 years ago

Milestone: 6.2future

Fixed security bug in r6284. Marking version upgrade as future.

comment:9 by Randy McMurchy, 16 years ago

Milestone: future6.2.1

comment:10 by dnicholson@…, 16 years ago

Summary: Mutt 1.5.12Mutt 1.5.13

Updating the summary version. Also, Ag has reported that Mutt is closing in on a "stable" 1.6 version. Yay!

comment:11 by Ag. Hatzimanikas, 16 years ago

And as of 10 minutes ago,up to 1.5.14. :)

comment:12 by Ag. Hatzimanikas, 16 years ago

About 1.5.14. This is a bug fixing release. There is absolutely no problem with the build. Builded in a system with gcc 4.1.2,glibc from cvs (patch from Dan) and 2.6.20 kernel.

Brendan will start now to apply the proposed patches to the tree. The patches are already tested thoroughly from the mutt community (there are not new stuff),although the mix up possible will bring some breakage. But considering the level of expertise of the mutt community,quite possible not.

There are some good stuff in there,here is a small lits -incomplete.

a.ESMTP patch. Libesmtp is an excellent library by the way,I am used it for sometime.


c.Public Key Association


e.Colorized status bar



The rest in time.

comment:13 by Ag. Hatzimanikas, 16 years ago

Version increment to 1.5.15. The summary should change to reflect the new version.

About this 1.5.15.

This is probable the last development release before the 1.6 release.

There are many applied patches, with the most serious the smtp patch by Brendan. I should also mention that my previous report about libesmtp is now required after the patch was false. The patch that depends in that library is aplied by the mutt-ng, and it's not the same.

And one last thing. Considering to add in the instructions the --enable-smtp switch.

Note: Maybe it's also wise to add the --with-ssl switch to enable pops:// and smtps://

comment:14 by Ag. Hatzimanikas, 16 years ago

About --enable-smtp, yet another note from trial and error: To be able to send messages through gmail's server, it needs mutt to link against cyrus-sasl (2.1.22 is fine), and the additional switch --with-sasl.

Thanks to Luis A. Florit for the confirmation.

Also, the documentation doesn't rebuild by default, so the part about rebuilding documentation and the optional dependencies libxslt, and lynx or w3m should be comment out. For the record a 'make makedoc-all' within the doc directory, should rebuild the docs. Anyway the diff shows only whitespace differences, so docs looks pretty much up to date.

Hmm, now I see that in the stable Book, we have Links listed as dependency, instead of lynx.

in reply to:  14 comment:15 by Ag. Hatzimanikas, 16 years ago

Replying to Ag.Hatzim:

Also, the documentation doesn't rebuild by default...

Sorry, but this is not true. It just checks for at least 2 of the needed tools (libxslt + lynx or w3m) and if they are present, it is trying to build the docs.

Anyway in reality, there is nothing to be gained by rebuilding the docs, because as I said in my previous comment, there is no actual difference (at least for this release and I am sure for the stable release which follows), so the statement about commenting out that part, still stands.

comment:16 by dnicholson@…, 16 years ago

Owner: changed from dnicholson@… to Ag. Hatzimanikas
Status: assignednew

I just realized that I own this ticket. Ag is much better suited. Reassigning.

comment:17 by Ag. Hatzimanikas, 16 years ago

I forgot to mention that is a new functionality in 1.5.15, designed to help attaching multiple files in a single message (by using a wildcard), from command line and scripts.


Previous behavior:

mutt -s "some subject" -a attachment1 -a attachment2
< /dev/null

Current behavior:

mutt -s "some subject" -a *myattachments -- </dev/null

the "--" separator is being used to treat the remaining argument as an address.

By the way. The 1.6 release will happen somewhere into summer.

Given the fact that there is no package freeze for LFS yet, and so for BLFS, I believe that we'll catch the next release of the book.

The users however are encouraged to upgrade to help testing.

comment:18 by dnicholson@…, 16 years ago

Owner: changed from Ag. Hatzimanikas to dnicholson@…
Status: newassigned
Summary: Mutt 1.5.13Mutt 1.5.15

comment:19 by Ag. Hatzimanikas, 16 years ago

New development release 1.5.16.

This is primarily a bug fix release with only a couple of new features, most nottably the "next-unread-mailbox" function.

Note: There is no binding for this function by default (since there is no other key left, comma is the only one that maybe used for that matter). Actually that was committed at first, but this was reverted in r5149 after reactions from users who use the comma as a convenient key for macros. It happens to agree with this since I am using comma for 6 macros.

Anyway "bind index ,n next-unread-mailbox" it looks a sensible binding.

Also the '%s' in $folder_format changed and it is now similar to '%c' in $hdr_format (%4s looks good here).

On another matter. mutt- released. It's just plus backported fixes for CVE-2007-2683 (gecos overflow) and CVE-2007-1558 (APOP MD5 collision attack). Users who still uses the 1.4* branch, may need to update their copies.

And lastly a qoute from Brendan.

"Looking at the number of bugs marked as blockers for 1.6*, I think we're not quite ready to announce release candidates yet. But the development focus from now on is to close those bugs and get 1.6 out the door."

comment:20 by dnicholson@…, 16 years ago

Summary: Mutt 1.5.15Mutt 1.5.16

Ag, have you tested mutt-1.5.16? Seems OK to me, but I'm using only the bare minimum of mutt's functionality. Any regressions from 1.5.15?

by dnicholson@…, 16 years ago

Attachment: blfs-mutt-1.5.16.patch added

Mutt-1.5.16 update

comment:21 by dnicholson@…, 16 years ago

Attached a patch for the book. I added the --enable-smtp by default. To me it's quite useful, and it doesn't mean you can't use your local MTA. Any suggestions on the command explanation? I also left out the --with-sasl since none of the other --with-* args are explained. Hopefully you know that if you need SMTP auth, you need sasl.

Can someone with the jadetex/openjade/opensp stack take a look at the pdf generation commands that are commented out? I think I figured out the steps to produce the pdf of the manual, but I can't test it.

comment:22 by Ag. Hatzimanikas, 16 years ago

Many thanks Dan!

That was much better than I expected and it's almost perfect.

Two minor things:

  1. It's not Links-2.1pre23 but lynx the actuall dependency and
  2. I think you forgot something to delete, young man :). You still apply the patch.

About the pdf generation, I am sorry but I have no idea, it's out of my interest for now.

Anyway, I am very pleased even without it, but if someone has the required knowledge to add the information in the book, that would be much more complete than I ever thought when I first started this ticket.

Oh and about the first question, yes I am using mutt-1.5.16 and it's still good old mutt. :) Seriously now, I am following mutt development and I didn't notice any serious bug report. I won't hesitate to report it here right away, if there is such a case.

Many thanks again.

comment:23 by Ag. Hatzimanikas, 16 years ago

Oh and another thing, just for the record.

Until 1.5.15 there was a required (build) dependency to which. It was used to locate md5,md5sum and openssl in

Which was removed in 1.5.16 for the favor of autoconf.

comment:24 by dnicholson@…, 16 years ago

Good catches, Ag. I also now noticed that the HTML generation is actually lynx or w3m or elinks.

I'm applying this. I'll leave the PDF generation alone. Maybe I can ping Randy or Manuel to try it out. I think they usually have all the documentation toolchains installed.

comment:25 by dnicholson@…, 16 years ago

Resolution: fixed
Status: assignedclosed

Committed in r6805. Thanks for all your help, Ag. Keep me posted on the upstream status.

by Ag. Hatzimanikas, 15 years ago

Attachment: mutt_with_GnuTLS.diff added

Mutt linked against GnuTLS

comment:26 by Ag. Hatzimanikas, 15 years ago

Please see bug 2911 and the reason of the attached diff.

Note: See TracTickets for help on using tickets.