Bug#975616: buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#975616: buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2
From: Antonio Radici <antonio@debian.org>
Date: Tue, 24 Nov 2020 08:10:15 +0100
Message-id: <[🔎] 160620181594.1788238.4446670684737608453.reportbug@leporello>
Reply-to: Antonio Radici <antonio@debian.org>, 975616@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jmm@inutil.org, carnil@debian.org

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
Same as bugs.debian.org/975514, except that one is for mutt, this one for
neomutt. The patch is the same and it addresses the same CVE (CVE-2020-28896).

Security team is aware, they suggested to go through the route of buster-updates
rather than DSA for this particular issue.

debdiff is attached, I've also done an upload already.

[ Impact ]
Prevent login information to be sent over an encrypted connection when certain
conditions happen.

[ Tests ]
(What automated or manual tests cover the affected code?)

[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
See the "Reason" section.

[ Other info ]
(Anything else the release team should know.)

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru neomutt-20180716+dfsg.1/debian/changelog neomutt-20180716+dfsg.1/debian/changelog
--- neomutt-20180716+dfsg.1/debian/changelog	2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/changelog	2020-11-24 07:55:28.000000000 +0100
@@ -1,3 +1,11 @@
+neomutt (20180716+dfsg.1-1+deb10u2) buster; urgency=medium
+
+  * debian/patches:
+    + security/CVE-2020-28896.patch: handle the relevant CVE to stop sending
+      login information over an encrypted connections in certain conditions.
+
+ -- Antonio Radici <antonio@debian.org>  Tue, 24 Nov 2020 07:55:28 +0100
+
 neomutt (20180716+dfsg.1-1+deb10u1) buster-security; urgency=high
 
   * debian/patches:
diff -Nru neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch
--- neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch	1970-01-01 01:00:00.000000000 +0100
+++ neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch	2020-11-24 07:55:28.000000000 +0100
@@ -0,0 +1,39 @@
+From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 16 Nov 2020 10:20:21 -0800
+Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
+
+During connection, if the server provided an illegal initial response,
+Mutt "bailed", but did not actually close the connection.  The calling
+code unfortunately relied on the connection status to decide to
+continue with authentication, instead of checking the "bail" return
+value.
+
+This could result in authentication credentials being sent over an
+unencrypted connection, without $ssl_force_tls being consulted.
+
+Fix this by strictly closing the connection on any invalid response
+during connection.  The fix is intentionally small, to ease
+backporting.  A better fix would include removing the 'err_close_conn'
+label, and perhaps adding return value checking in the caller (though
+this change obviates the need for that).
+
+This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
+reporting the problem, and providing test cases to reproduce.
+---
+ imap/imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -1110,9 +1110,9 @@
+ 
+ #ifdef USE_SSL
+ err_close_conn:
+-  imap_close_connection(idata);
+ #endif
+ bail:
++  imap_close_connection(idata);
+   FREE(&idata->capstr);
+   return -1;
+ }
diff -Nru neomutt-20180716+dfsg.1/debian/patches/series neomutt-20180716+dfsg.1/debian/patches/series
--- neomutt-20180716+dfsg.1/debian/patches/series	2020-06-20 07:42:44.000000000 +0200
+++ neomutt-20180716+dfsg.1/debian/patches/series	2020-11-24 07:55:28.000000000 +0100
@@ -4,3 +4,4 @@
 misc/smime.rc.patch
 security/CVE-2020-14093.patch
 security/handle-starttls.patch
+security/CVE-2020-28896.patch

Reply to:

Follow-Ups:
- Bug#975616: neomutt 20180716+dfsg.1-1+deb10u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#975589: transition: gnat-10
Next by Date: Bug#975029: transition: notcurses
Previous by thread: Bug#975589: transition: gnat-10
Next by thread: Bug#975616: neomutt 20180716+dfsg.1-1+deb10u2 flagged for acceptance
Index(es):
- Date
- Thread