Bug#975514: buster-pu: package mutt/1.10.1-2.1+deb10u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#975514: buster-pu: package mutt/1.10.1-2.1+deb10u4
From: Antonio Radici <antonio@debian.org>
Date: Mon, 23 Nov 2020 09:50:37 +0100
Message-id: <[🔎] 160612143735.1714467.13013119383380402094.reportbug@leporello>
Reply-to: Antonio Radici <antonio@debian.org>, 975514@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
This is a fix for CVE-2020-28896, discussed with two members of the security
team (Moritz Muehlenhoff and Salvatore Bonaccorso) whether to do a DSA, in the
end it was decided, given that this requires a malicious server, to add it to
the next point release, which is happening soon.

[ Impact ]
Same as the CVE, a malicious server could force the client to send the
credential over an unencrypted connection.

[ Tests ]
(What automated or manual tests cover the affected code?)

[ Risks ]
See impact.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
A two line patch provided by the maintainer and checked by myself, already in
unstable.

[ Other info ]
Security team is aware, I've already done the upload to shorten your review
time.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog
--- mutt-1.10.1/debian/changelog	2020-07-02 16:45:23.000000000 +0200
+++ mutt-1.10.1/debian/changelog	2020-11-23 09:26:09.000000000 +0100
@@ -1,3 +1,10 @@
+mutt (1.10.1-2.1+deb10u4) buster; urgency=medium
+
+  * debian/patches:
+    + fix for CVE-2020-28896 located in security/CVE-2020-28896.patch.
+
+ -- Antonio Radici <antonio@debian.org>  Mon, 23 Nov 2020 09:26:09 +0100
+
 mutt (1.10.1-2.1+deb10u3) buster; urgency=medium
 
   * debian/patches:
diff -Nru mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch
--- mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch	2020-11-23 09:26:09.000000000 +0100
@@ -0,0 +1,39 @@
+From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 16 Nov 2020 10:20:21 -0800
+Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
+
+During connection, if the server provided an illegal initial response,
+Mutt "bailed", but did not actually close the connection.  The calling
+code unfortunately relied on the connection status to decide to
+continue with authentication, instead of checking the "bail" return
+value.
+
+This could result in authentication credentials being sent over an
+unencrypted connection, without $ssl_force_tls being consulted.
+
+Fix this by strictly closing the connection on any invalid response
+during connection.  The fix is intentionally small, to ease
+backporting.  A better fix would include removing the 'err_close_conn'
+label, and perhaps adding return value checking in the caller (though
+this change obviates the need for that).
+
+This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
+reporting the problem, and providing test cases to reproduce.
+---
+ imap/imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -524,9 +524,9 @@
+ 
+ #if defined(USE_SSL)
+  err_close_conn:
+-  imap_close_connection (idata);
+ #endif
+  bail:
++  imap_close_connection (idata);
+   FREE (&idata->capstr);
+   return -1;
+ }
diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series
--- mutt-1.10.1/debian/patches/series	2020-07-02 16:44:08.000000000 +0200
+++ mutt-1.10.1/debian/patches/series	2020-11-23 09:24:54.000000000 +0100
@@ -16,4 +16,5 @@
 security/CVE-2020-14093.patch
 security/CVE-2020-14154.patch
 security/CVE-not-yet-released.patch
+security/CVE-2020-28896.patch
 upstream/imap-preauth-and-ssh-tunnel.patch

Reply to:

Follow-Ups:
- Bug#975514: mutt 1.10.1-2.1+deb10u4 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#973407: marked as done (transition: r-api-bioc-3.12)
Next by Date: Bug#973736: buster-pu: package pulseaudio/12.2-4+deb10u2
Previous by thread: Bug#973407: marked as done (transition: r-api-bioc-3.12)
Next by thread: Bug#975514: mutt 1.10.1-2.1+deb10u4 flagged for acceptance
Index(es):
- Date
- Thread