Bug#975616: buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jmm@inutil.org, carnil@debian.org
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
Same as bugs.debian.org/975514, except that one is for mutt, this one for
neomutt. The patch is the same and it addresses the same CVE (CVE-2020-28896).
Security team is aware, they suggested to go through the route of buster-updates
rather than DSA for this particular issue.
debdiff is attached, I've also done an upload already.
[ Impact ]
Prevent login information to be sent over an encrypted connection when certain
conditions happen.
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
See the "Reason" section.
[ Other info ]
(Anything else the release team should know.)
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru neomutt-20180716+dfsg.1/debian/changelog neomutt-20180716+dfsg.1/debian/changelog
--- neomutt-20180716+dfsg.1/debian/changelog 2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/changelog 2020-11-24 07:55:28.000000000 +0100
@@ -1,3 +1,11 @@
+neomutt (20180716+dfsg.1-1+deb10u2) buster; urgency=medium
+
+ * debian/patches:
+ + security/CVE-2020-28896.patch: handle the relevant CVE to stop sending
+ login information over an encrypted connections in certain conditions.
+
+ -- Antonio Radici <antonio@debian.org> Tue, 24 Nov 2020 07:55:28 +0100
+
neomutt (20180716+dfsg.1-1+deb10u1) buster-security; urgency=high
* debian/patches:
diff -Nru neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch
--- neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 1970-01-01 01:00:00.000000000 +0100
+++ neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 2020-11-24 07:55:28.000000000 +0100
@@ -0,0 +1,39 @@
+From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 16 Nov 2020 10:20:21 -0800
+Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
+
+During connection, if the server provided an illegal initial response,
+Mutt "bailed", but did not actually close the connection. The calling
+code unfortunately relied on the connection status to decide to
+continue with authentication, instead of checking the "bail" return
+value.
+
+This could result in authentication credentials being sent over an
+unencrypted connection, without $ssl_force_tls being consulted.
+
+Fix this by strictly closing the connection on any invalid response
+during connection. The fix is intentionally small, to ease
+backporting. A better fix would include removing the 'err_close_conn'
+label, and perhaps adding return value checking in the caller (though
+this change obviates the need for that).
+
+This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for
+reporting the problem, and providing test cases to reproduce.
+---
+ imap/imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -1110,9 +1110,9 @@
+
+ #ifdef USE_SSL
+ err_close_conn:
+- imap_close_connection(idata);
+ #endif
+ bail:
++ imap_close_connection(idata);
+ FREE(&idata->capstr);
+ return -1;
+ }
diff -Nru neomutt-20180716+dfsg.1/debian/patches/series neomutt-20180716+dfsg.1/debian/patches/series
--- neomutt-20180716+dfsg.1/debian/patches/series 2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/patches/series 2020-11-24 07:55:28.000000000 +0100
@@ -4,3 +4,4 @@
misc/smime.rc.patch
security/CVE-2020-14093.patch
security/handle-starttls.patch
+security/CVE-2020-28896.patch
Reply to: