Bug#674245: marked as done (mutt silently truncates IMAP passwords longer than 63 bytes.)

[Debian Bug Tracking System]

Your message dated Wed, 05 Mar 2014 13:48:51 +0000
with message-id <e1wlcbn-0007dm...@franck.debian.org>
and subject line Bug#674245: fixed in mutt 1.5.22-1
has caused the Debian Bug report #674245,
regarding mutt silently truncates IMAP passwords longer than 63 bytes.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
674245: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674245
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mutt
Severity: minor
Tags: upstream

Mutt uses a fixed-length buffer for passwords, 64-bytes wide.  The
last byte is for NULL termination, meaning that mutt will silently
truncate IMAP passwords longer than 63 bytes.

Upstream has doubled the buffer length in HEAD (6204:0fb6d7579fd1),
but obviously the Right Thing would be to either grow the buffer as
needed, or to complain to the user if the buffer is too long.

    [...]
    <twb> If I use '' quoting, they are the same except the very last character 
is truncated
    <brendan> wonder if we're using a 64-byte buffer or something
    <brendan> indeed we are
    <twb> Is this something you can just fix while we're talking, or do you 
want a proper bug report?
    <brendan> http://dev.mutt.org/hg/mutt/file/41a8d7dceb6c/account.h#l46
    <brendan> I could up the static number now, but a bug report would help 
track a better fix
    <brendan> 64-byte buffer means 63-byte passwords max
    <twb> Right, because of null termination
    <brendan> well, I'll double the length now.
    <twb> Ideally you want to either complain to the user if the password is 
too long to fit, or piss-fart around with arbitrary-length buffers
    <twb> As the "right" solution, I mean :-)
    <brendan> yes :)
    <brendan> mutt silently truncates strings all over the place when they get 
unusually long, so the proper fix could end up requiring some yak shaving.
    <CIA-144> ^C03Brendan Cully <bren...@kublai.com>^O ^C07HEAD^O * 
6204:0fb6d7579fd1^O ^C10^O/account.h:
    <CIA-144> http://dev.mutt.org/hg/mutt/rev/0fb6d7579fd1
    <CIA-144> Support passwords of up to 127 characters.
    <CIA-144> I received a report on IRC of a failure due to a 64-byte password.

--- End Message ---

--- Begin Message ---

Source: mutt
Source-Version: 1.5.22-1

We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 674...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Berg <christoph.b...@credativ.de> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 05 Mar 2014 13:51:33 +0100
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source amd64
Version: 1.5.22-1
Distribution: unstable
Urgency: low
Maintainer: Antonio Radici <anto...@dyne.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description: 
 mutt       - text-based mailreader supporting MIME, GPG, PGP and threading
 mutt-dbg   - debugging symbols for mutt
 mutt-patched - Mutt Mail User Agent with extra patches
Closes: 172960 413688 482883 509980 541241 546591 580677 592874 602145 631017 
668583 674245 675464 727264 732859
Changes: 
 mutt (1.5.22-1) unstable; urgency=low
 .
   Many thanks to Matteo and Evgeni for preparing this release!
 .
   [ Matteo F. Vescovi ]
   * Imported Upstream version 1.5.22 (Closes: #732859)
     - debian/patches/: patchset re-worked against v1.5.22 via gbp
       - __[tag]__ classification has been introduced with
         this release (gbp pq format)
       - all already-applied "upstream" patches were dropped
       - most of the patches required simple renaming
     - debian/rules: patch usage modified
       - mutt.org patch popping updated
       - patch path for README.patches updated
   * debian/control: Vcs-* fields updated
   * debian/: dh bump version 7 => 9
   * debian/source/format: 1.0 => 3.0 (quilt)
   * debian/control: S-V bump 3.9.2 => 3.9.5 (no changes needed)
 .
   [ Evgeni Golov ]
   * Refresh sidebar related patches.
     Update the main sidebar patch from OpenBSD, who have ported the latest
     upstream version of the patch to mutt 1.5.22.
   * Drop our sidebar-sorted patch, as upstream has support for sorting now.
   * Drop our sidebar-dotted in favor of Gentoo's sidebar-dotpathsep patch.
     Gentoo's patch has a configurable list of delimiters, which is nice.
   * Re-add sidebar-newonly patch
   * Do not segfault in sidebar-newonly (Closes: #546591)
   * Add nntp patch
   * Fix a warning during configure
     checking for idna_to_ascii_from_locale... no
     ../configure: line 12285: test: =: unary operator expected
 .
   [ Christoph Berg ]
   * Bugs fixed upstream:
       Closes: #631017: crash on group reply
       Closes: #674245: mutt silently truncates IMAP passwords longer than 63
         bytes
       Closes: #413688: GnuPG and GnuPG clients unsigned data injection
         vulnerability
       Closes: #541241: attachment type misdetection for small .tar.gz
       Closes: #580677: default keybindings override user defined ones
       Closes: #592874: User-defined settings are overriden by /etc/Muttrc
       Closes: #602145: Display problems for mbox-files > 2GiB
       Closes: #668583: SegFault on verifying gpg key for a message
       Closes: #675464: almost all colors are bright if bright is used for
         "normal"
       Closes: #172960: %r contains e-mail adress instead of key id
       Closes: #482883: removes custom headers on postpone+resume
       Closes: #509980: Mail-Followup-To removed when recalling postponed
         messages
   * Patches applied upstream are now removed:
       537061-dont-recode-saved-attachments.patch
       537694-segv-imap-headers.patch
       537818-emptycharset.patch
       568295-references.patch
       578087-header-strchr.patch
       584138-mx_update_context-segfault.patch
       608706-fix-spelling-errors.patch
       611412-bts-regexp.patch
       619216-gnutls-CN-validation.patch
       620854-pop3-segfault.patch
       624058-gnutls-deprecated-set-priority.patch
       624085-gnutls-deprecated-verify-peers.patch
   * Use autotools-dev to update configure.{sub,guess} (Closes: #727264)
   * Remove obsolete configure switches: --enable-inodesort --with-sharedir.
Checksums-Sha1: 
 033f1e4a04d2b0d44d61aa2055b4c61d3e204ae5 2182 mutt_1.5.22-1.dsc
 728a114cb3a44df373dbf1292fc34dd8321057dc 3782237 mutt_1.5.22.orig.tar.gz
 f31f46be68e66c04b2dacc7caeb671cb13ca6c19 127428 mutt_1.5.22-1.debian.tar.xz
 406d43b910e5b0502cb34f72c5816e069229b83b 1422732 mutt_1.5.22-1_amd64.deb
 a4e02824a58bc671572ff6331e631488796e14d8 399300 mutt-patched_1.5.22-1_amd64.deb
 addeb5038160e896a6835deedfa38eda5929e4b8 2256278 mutt-dbg_1.5.22-1_amd64.deb
Checksums-Sha256: 
 645ef15f8b7798ff57efdd437ec34a45b09037ca67a965d5bc06068f6704fe0d 2182 
mutt_1.5.22-1.dsc
 8feae890ed0758a5108bafaef27bd8fc9c378675acf25a3c620f2c7b7540f3a7 3782237 
mutt_1.5.22.orig.tar.gz
 457f27388ca5b1fd7a3395a329994f24d7626a914218133d17590ddd7636b2b0 127428 
mutt_1.5.22-1.debian.tar.xz
 9c43a3ceaaace33451c91a91ff94509e126a8344dc05288ceac5c1d31ff10f6c 1422732 
mutt_1.5.22-1_amd64.deb
 a8cf2bec96b5f2304c291abde331d95534129ba9b3eac86cb0ed7fb8c4d9a765 399300 
mutt-patched_1.5.22-1_amd64.deb
 16505ff97fa9fc9c79ba6ba932cd82d3594b9c7e2e445334d530035ab5dfb6b0 2256278 
mutt-dbg_1.5.22-1_amd64.deb
Files: 
 32254b38eda0764fd1908eac96d13715 2182 mail standard mutt_1.5.22-1.dsc
 48267aba1bc53db636777f4a1ec87cb6 3782237 mail standard mutt_1.5.22.orig.tar.gz
 370e55983c5c6088532bf718e79a32b0 127428 mail standard 
mutt_1.5.22-1.debian.tar.xz
 8ec8449a57ccbb7fe0ba9960cd915d0a 1422732 mail standard mutt_1.5.22-1_amd64.deb
 211a2082b3420902892d08cb735fcf3d 399300 mail extra 
mutt-patched_1.5.22-1_amd64.deb
 99c0900b22926d7177aaec003e75c562 2256278 debug extra 
mutt-dbg_1.5.22-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTFyhXAAoJEExaa6sS0qeu3REP/2Q4aJkpZRmwcobtalyKo02F
dFHXoGJN9C82cPzZ+nEoJiW12TORehoO1eCNWLM/8OSipQrDw2rRtsrm5IwvjSo7
GhkrtW02Uvumu9KMayedtJmwFMEbJLimiPFvALTk3di+PCUmZ507fLmLszLuiDXQ
Vnj0lR3dicbTIy0KZQfmzR4Nb25F0t0Y8QC0zN2m9Q3T7CLI9TX8qZ+f0nyNA0jC
ODWEUI3I0BKFDR1pPm8QRBp/d7dTaMAiu/jIcgtxZYWrfjVOOugoDpxji4Ex7BV0
OIfe1fgIoNQEnh/LIgUDcnxd+A+aP7eGzGLibwIJgpxrr3g5goVoxMHteaJzfn5l
pwSsiZU0aV8iXeUhBHk8OS5a/BNo+zy/8lifFL24H6L4a/EYvKo8sPyELtmGMZNP
mg/a7E4imbuGZX91BrHMk2Mf++gfmtHhfY9FNJnTfvkitL1r0TFJ8gNUVVB5OMx4
3duj9kb/2p0cNmOPicOpRTSN0rsZn2SxI8n4Mgq+gHcY5c3S8H9g73vbMPRME8Mr
Xu8EIr56nhlZbqxvo52d0feWkKUKDBt3KeDO2jbWChZ9wfB9sbhtCSRSErBVo99+
q6tdBhIggONZHaJL2y3BSCrM3W/rd4AA62qyCn0kr8ICwvrFV5AV/6EQTUthdkvs
/0W+CgIz4A7nVFrC1cRY
=dfRH
-----END PGP SIGNATURE-----

--- End Message ---