#2072 closed task (fixed)
Mutt 1.5.16
| Reported by: | Ag. Hatzimanikas | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 6.3 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
Version increment.
This version is a snapshot of the recent development activity and also fixes a buffer overflow that could be triggered by a malicious IMAP server.
Description. Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and possibly arbitrary code execution with the privs. of the user running mutt. Note that a user must visit a malicious IMAP server in order to be affected by this. Reference. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242
This affects all the versions of Mutt 1.4.2.1 (stable) and earlier. So users with the stable version they also have to upgrade to the 1.4.2.2 (current stable). A simple note to the book is sufficient. This could be placed for instance into the special note that already exists.
Another thing I would like to mention. Mutt install it's documentation into ${prefix}/doc/mutt by default. Now that's not bad,since there is already a symlink /usr/doc -> /usr/share/doc/ created earlier by lfs,but just for consistency,we can tell mutt to install the docs into the /usr/share/doc by using --with-docdir=/usr/share/doc/mutt configure switch,or --with-docdir=/usr/share/doc/mutt-$version. I tagged this ticket as blocker,since I believe it should be fixed before the release.
Change History (28)
comment:1 by , 19 years ago
| Severity: | blocker → normal |
|---|
comment:2 by , 19 years ago
No,this affect all the versions of mutt 1.4.2.1 and earlier,so we are vulnerable.
comment:3 by , 19 years ago
I'm not trying to argue here, I'm trying to understand.
You say it affects 1.4.x and earlier. BLFS is at 1.5.11. What am I missing here?
comment:4 by , 19 years ago
Whoops,forgive me for my poor english,sometimes it's difficult to think when you have an angry baby crying in your arms. And yes it affects and the development version. Sorry.
comment:5 by , 19 years ago
If we want, we can just patch the vulnerability for now. I know we're already using a development version, but maybe we don't want to add in all these other new commits until someone's played with them for a while.
(That's exactly what was committed to the 1.4 branch).
comment:6 by , 19 years ago
Dan the patch for 1.5.11 submitted. Please and, 'when and if' you update the book,don't forget the --with-docdir=/usr/share/doc/mutt switch.
comment:7 by , 19 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Whoops. I forgot all about this bug. Thanks for submitting the patch, Ag. Should go in the the docdir fix some time today.
comment:8 by , 19 years ago
| Milestone: | 6.2 → future |
|---|
Fixed security bug in r6284. Marking version upgrade as future.
comment:9 by , 18 years ago
| Milestone: | future → 6.2.1 |
|---|
comment:10 by , 18 years ago
| Summary: | Mutt 1.5.12 → Mutt 1.5.13 |
|---|
Updating the summary version. Also, Ag has reported that Mutt is closing in on a "stable" 1.6 version. Yay!
http://wiki.linuxfromscratch.org/blfs/ticket/2279#comment:9
comment:12 by , 18 years ago
About 1.5.14. This is a bug fixing release. There is absolutely no problem with the build. Builded in a system with gcc 4.1.2,glibc from cvs (patch from Dan) and 2.6.20 kernel.
Brendan will start now to apply the proposed patches to the tree. The patches are already tested thoroughly from the mutt community (there are not new stuff),although the mix up possible will bring some breakage. But considering the level of expertise of the mutt community,quite possible not.
There are some good stuff in there,here is a small lits -incomplete.
a.ESMTP patch. Libesmtp is an excellent library by the way,I am used it for sometime.
b.Assumed-charset
c.Public Key Association
d.Compressed-folders
e.Colorized status bar
f.trash-folder
etc...
The rest in time.
comment:13 by , 18 years ago
Version increment to 1.5.15. The summary should change to reflect the new version.
About this 1.5.15.
This is probable the last development release before the 1.6 release.
There are many applied patches, with the most serious the smtp patch by Brendan. I should also mention that my previous report about libesmtp is now required after the patch was false. The patch that depends in that library is aplied by the mutt-ng, and it's not the same.
And one last thing. Considering to add in the instructions the --enable-smtp switch.
Note: Maybe it's also wise to add the --with-ssl switch to enable pops:// and smtps://
follow-up: 15 comment:14 by , 18 years ago
About --enable-smtp, yet another note from trial and error: To be able to send messages through gmail's server, it needs mutt to link against cyrus-sasl (2.1.22 is fine), and the additional switch --with-sasl.
Thanks to Luis A. Florit for the confirmation.
Also, the documentation doesn't rebuild by default, so the part about rebuilding documentation and the optional dependencies libxslt, and lynx or w3m should be comment out. For the record a 'make makedoc-all' within the doc directory, should rebuild the docs. Anyway the diff shows only whitespace differences, so docs looks pretty much up to date.
Hmm, now I see that in the stable Book, we have Links listed as dependency, instead of lynx.
comment:15 by , 18 years ago
Replying to Ag.Hatzim:
Also, the documentation doesn't rebuild by default...
Sorry, but this is not true. It just checks for at least 2 of the needed tools (libxslt + lynx or w3m) and if they are present, it is trying to build the docs.
Anyway in reality, there is nothing to be gained by rebuilding the docs, because as I said in my previous comment, there is no actual difference (at least for this release and I am sure for the stable release which follows), so the statement about commenting out that part, still stands.
comment:16 by , 18 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
I just realized that I own this ticket. Ag is much better suited. Reassigning.
comment:17 by , 18 years ago
I forgot to mention that is a new functionality in 1.5.15, designed to help attaching multiple files in a single message (by using a wildcard), from command line and scripts.
Examples.
Previous behavior:
mutt -s "some subject" -a attachment1 -a attachment2 to@someadress.com < /dev/null
Current behavior:
mutt -s "some subject" -a *myattachments -- to@someadress.com </dev/null
the "--" separator is being used to treat the remaining argument as an address.
By the way. The 1.6 release will happen somewhere into summer.
Given the fact that there is no package freeze for LFS yet, and so for BLFS, I believe that we'll catch the next release of the book.
The users however are encouraged to upgrade to help testing.
comment:18 by , 18 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Summary: | Mutt 1.5.13 → Mutt 1.5.15 |
comment:19 by , 18 years ago
New development release 1.5.16.
This is primarily a bug fix release with only a couple of new features, most nottably the "next-unread-mailbox" function.
Note: There is no binding for this function by default (since there is no other key left, comma is the only one that maybe used for that matter). Actually that was committed at first, but this was reverted in r5149 after reactions from users who use the comma as a convenient key for macros. It happens to agree with this since I am using comma for 6 macros.
Anyway "bind index ,n next-unread-mailbox" it looks a sensible binding.
Also the '%s' in $folder_format changed and it is now similar to '%c' in $hdr_format (%4s looks good here).
On another matter. mutt-1.4.2.3 released. It's just 1.4.2.2 plus backported fixes for CVE-2007-2683 (gecos overflow) and CVE-2007-1558 (APOP MD5 collision attack). Users who still uses the 1.4* branch, may need to update their copies.
And lastly a qoute from Brendan.
"Looking at the number of bugs marked as blockers for 1.6*, I think we're not quite ready to announce release candidates yet. But the development focus from now on is to close those bugs and get 1.6 out the door."
comment:20 by , 18 years ago
| Milestone: | 6.2.1 → 6.3 |
|---|---|
| Summary: | Mutt 1.5.15 → Mutt 1.5.16 |
Ag, have you tested mutt-1.5.16? Seems OK to me, but I'm using only the bare minimum of mutt's functionality. Any regressions from 1.5.15?
comment:21 by , 18 years ago
Attached a patch for the book. I added the --enable-smtp by default. To me it's quite useful, and it doesn't mean you can't use your local MTA. Any suggestions on the command explanation? I also left out the --with-sasl since none of the other --with-* args are explained. Hopefully you know that if you need SMTP auth, you need sasl.
Can someone with the jadetex/openjade/opensp stack take a look at the pdf generation commands that are commented out? I think I figured out the steps to produce the pdf of the manual, but I can't test it.
comment:22 by , 18 years ago
Many thanks Dan!
That was much better than I expected and it's almost perfect.
Two minor things:
- It's not Links-2.1pre23 but lynx the actuall dependency and
- I think you forgot something to delete, young man :). You still apply the patch.
About the pdf generation, I am sorry but I have no idea, it's out of my interest for now.
Anyway, I am very pleased even without it, but if someone has the required knowledge to add the information in the book, that would be much more complete than I ever thought when I first started this ticket.
Oh and about the first question, yes I am using mutt-1.5.16 and it's still good old mutt. :) Seriously now, I am following mutt development and I didn't notice any serious bug report. I won't hesitate to report it here right away, if there is such a case.
Many thanks again.
comment:23 by , 18 years ago
Oh and another thing, just for the record.
Until 1.5.15 there was a required (build) dependency to which. It was used to locate md5,md5sum and openssl in hcachever.sh.
Which was removed in 1.5.16 for the favor of autoconf.
comment:24 by , 18 years ago
Good catches, Ag. I also now noticed that the HTML generation is actually lynx or w3m or elinks.
I'm applying this. I'll leave the PDF generation alone. Maybe I can ping Randy or Manuel to try it out. I think they usually have all the documentation toolchains installed.
comment:25 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Committed in r6805. Thanks for all your help, Ag. Keep me posted on the upstream status.
comment:26 by , 18 years ago
Please see bug 2911 and the reason of the attached diff. http://dev.mutt.org/trac/ticket/2911
I'm not sure blocker is required here. Best I can tell, the bug is only found in stable versions of Mutt. The book uses a dev version, so this bug shouldn't affect us. Right?