Your message dated Thu, 30 May 2019 11:20:13 +0000 with message-id <[email protected]> and subject line Bug#929017: fixed in mutt 1.10.1-2.1 has caused the Debian Bug report #929017, regarding mutt: undefined behavior on huge integer in a RFC 2231 header to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 929017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929017 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: mutt Version: 1.10.1-2 Severity: serious Tags: security upstream fixed-upstream The rfc2231.c file contains: index = atoi (s); where the string s is part of a RFC 2231 parameter in a header. For instance, if in a message (invalid, but which can occur due to spam, attack, etc.), one has: Content-Disposition: inline; filename*17="na"; filename*999999999999999999999999999999="me" atoi() will be called on the string "999999999999999999999999999999", which is undefined behavior and may have security implications depending on the atoi() implementation. I've just fixed this issue in the following commit: https://gitlab.com/muttmua/mutt/commit/3b6f6b829718ec8a7cf3eb6997d86e83e6c38567 -- Package-specific info: Mutt 1.11.4+211 (79563636) vl-117499 (2019-05-13) Copyright (C) 1996-2016 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: Linux 4.19.0-5-amd64 (x86_64) ncurses: ncurses 6.1.20181013 (compiled with 6.1) libidn: 1.33 (compiled with 1.33) Compiler: Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper OFFLOAD_TARGET_NAMES=nvptx-none OFFLOAD_TARGET_DEFAULT=1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-7' --with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-8 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 8.3.0 (Debian 8.3.0-7) Configure options: '--prefix=/home/vlefevre' '--exec-prefix=/home/vlefevre/x86_64' '--enable-debug' '--enable-pop' '--enable-imap' '--with-ssl' '--enable-compressed' '--with-exec-shell=/home/vlefevre/bin/sh.screen' '--enable-gpgme' '--with-system-dotlock=/usr/bin/mutt_dotlock' 'CC=gcc' 'CFLAGS=-g -O3 -march=native -fsanitize=undefined -fno-sanitize-recover' Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O3 -march=native -fsanitize=undefined -fno-sanitize-recover Compile options: -DOMAIN +DEBUG -HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK +USE_POP +USE_IMAP -USE_SMTP +USE_SSL_OPENSSL -USE_SSL_GNUTLS -USE_SASL -USE_GSS +HAVE_GETADDRINFO +HAVE_REGCOMP -USE_GNU_REGEX +HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET +HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +HAVE_FUTIMENS +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME -EXACT_ADDRESS -SUN_ATTACHMENT +ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN -HAVE_LIBIDN2 +HAVE_GETSID -USE_HCACHE -USE_SIDEBAR +USE_COMPRESSED +USE_INOTIFY ISPELL="/usr/bin/ispell" SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/home/vlefevre/share/mutt" SYSCONFDIR="/home/vlefevre/etc" EXECSHELL="/home/vlefevre/bin/sh.screen" -MIXMASTER To contact the developers, please mail to <[email protected]>. To report a bug, please contact the Mutt maintainers via gitlab: https://gitlab.com/muttmua/mutt/issues patch-20190423.vl.simplesearchkw.1 patch-20190106.pdmef.progress.vl.1 patch-20190423.tamovl.patterns.1 patch-20180503.tamo.iso8601.1 patch-20180503.tamovl.sysdotlock.1 -- System Information: Debian Release: 10.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mutt depends on: ii libassuan0 2.5.2-1 ii libc6 2.28-10 ii libcom-err2 1.45.1-1 ii libgnutls30 3.6.7-2 ii libgpg-error0 1.35-1 ii libgpgme11 1.12.0-6 ii libgssapi-krb5-2 1.17-2 ii libidn11 1.33-2.2 ii libk5crypto3 1.17-2 ii libkrb5-3 1.17-2 ii libncursesw6 6.1+20181013-2 ii libsasl2-2 2.1.27+dfsg-1 ii libtinfo6 6.1+20181013-2 ii libtokyocabinet9 1.4.48-12 Versions of packages mutt recommends: ii libsasl2-modules 2.1.27+dfsg-1 ii locales 2.28-10 ii mime-support 3.62 Versions of packages mutt suggests: ii aspell 0.60.7~20110707-6 ii ca-certificates 20190110 ii exim4-daemon-light [mail-transport-agent] 4.92-7 ii gnupg 2.2.13-2 ii ispell 3.4.00-6+b1 pn mixmaster <none> ii openssl 1.1.1b-2 ii urlview 0.9-21 Versions of packages mutt is related to: ii mutt 1.10.1-2 -- no debconf information
--- End Message ---
--- Begin Message ---Source: mutt Source-Version: 1.10.1-2.1 We believe that the bug you reported is fixed in the latest version of mutt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <[email protected]> (supplier of updated mutt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 May 2019 09:57:12 +0100 Source: mutt Binary: mutt mutt-dbgsym Architecture: source amd64 Version: 1.10.1-2.1 Distribution: unstable Urgency: medium Maintainer: Mutt maintainers <[email protected]> Changed-By: Chris Lamb <[email protected]> Description: mutt - text-based mailreader supporting MIME, GPG, PGP and threading Closes: 929017 Changes: mutt (1.10.1-2.1) unstable; urgency=medium . * Non-maintainer upload. * Apply patch from upstream to prevent undefined behaviour when parsing invalid Content-Disposition mail headers. The atoi() function was being called on a number which can potentially overflow and thus can have security implications depending on the atoi() implementation. (Closes: #929017) Checksums-Sha1: 91c2e51b337f2f9a3d35d94c48eadc6eba30dfae 2330 mutt_1.10.1-2.1.dsc 584c3a5cd604813749da4d90c8c457a143ccd746 4255890 mutt_1.10.1.orig.tar.gz 46c14adbefbde069cc4ff0a2f75d2466b25f7ffe 833 mutt_1.10.1.orig.tar.gz.asc b7c24a9780e60f807436e72490454dcab0eca9c7 62560 mutt_1.10.1-2.1.debian.tar.xz e15b7b81bc1f3d61f69f69c5e00954c78e31caf9 1741944 mutt-dbgsym_1.10.1-2.1_amd64.deb 030ae84b34fa06ef01015f7f5315f64f133d839e 7754 mutt_1.10.1-2.1_amd64.buildinfo d8d4ed86fcc3fcb74670eada47af1eda52309cd1 1581052 mutt_1.10.1-2.1_amd64.deb Checksums-Sha256: c7d11d1628af11850abe66fafef17d7b3f877cc3bc370cd7dc58cf7ac3676438 2330 mutt_1.10.1-2.1.dsc 734a3883158ec3d180cf6538d8bd7f685ce641d2cdef657aa0038f76e79a54a0 4255890 mutt_1.10.1.orig.tar.gz 0ce9cb23947de6b0f35f7fc5f6b228c04c679e09cc59aaf77f8484187dacdf40 833 mutt_1.10.1.orig.tar.gz.asc 0b4519b1c84a1cad74b11a67571a1fbe3a9c4a64e138a3b7f0007cbb1e616f8c 62560 mutt_1.10.1-2.1.debian.tar.xz e5b0cd6d5de83626bf2eb868af2850e5c0b0409031f91948586f55808f5e70dc 1741944 mutt-dbgsym_1.10.1-2.1_amd64.deb cf9b927db2528280ae31a683734bc655ef5676195546e4dc4b510edb112f84ba 7754 mutt_1.10.1-2.1_amd64.buildinfo 710b9988c676fd586b27055a40b417be1944603be8599ac2dc72eebb22113480 1581052 mutt_1.10.1-2.1_amd64.deb Files: 65c8814f09c76ae21274d105c921cfe1 2330 mail optional mutt_1.10.1-2.1.dsc f1564f81ed5f8bacb7e041edc71d5347 4255890 mail optional mutt_1.10.1.orig.tar.gz bfa174eda4de275d63d9cd35c87fd88d 833 mail optional mutt_1.10.1.orig.tar.gz.asc 9fe0c8b324ffee164eade93e06c693c6 62560 mail optional mutt_1.10.1-2.1.debian.tar.xz 1984cd74a694bba469810f90ca00718c 1741944 debug optional mutt-dbgsym_1.10.1-2.1_amd64.deb d4808faf0acf03c7bf155a5fcd2a80d0 7754 mail optional mutt_1.10.1-2.1_amd64.buildinfo 712cd772136bae924b9dbe25539f657d 1581052 mail optional mutt_1.10.1-2.1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlzpBXsACgkQHpU+J9Qx HljrRBAAjNVbo4R+5GN6z4E4u8Pt2DCgX920pSXfObS1WmYo1QsVlXY6dm+cY/Kz 5aBQF2lTV5hQ94KJ9PxWC5b+3q3awawFcgogMPyp64uT9915s9GttgIvKy0rNtWK rD8xR8/p5MaLGvi2yDUwnzaBiUkc3SWr16AdceqppAv9ujW2WqlB7gWxrJmiSO6n cm0usFweC4uQa04ffuqYb/Er0sFhs9kxp7o53glzcakkmiXhZoNj+M4ybARLMTf6 T0LVIt/DxnjEwrG2yVcu/hhuiyMqQFBz5CmfMImLusjLmqAttpnL40HNgI/Qa+R+ a0k/MbOceFBj4uC90BLvxqZDu7lQvSXM9Ff4DWj6kKI0A1mbHqGw8aCnCKroWugY cQZYRbh87ZYzPKlWvWdFDXQE+prL3xTupQzYgUUVoK53R/xMrF366CRCmvoVlngp 2s+UxO1Rm/vY8PJk49oB3DYcSNZbtl02n/2GRHZdxKHvtR+pYvF9zP+o9MgClSEA In/u6BqiAZz0bVq8Xnfd5NMQYUXTetybgUc5QrrWA93Q2apta2JMEmhLbDXYe/YN QIBfHwYnuEYoWfwgMnPf3qCgVOdumEunmnbBEJBJj3jJnRsYEAFW4yFXGvpL1YLI MFIxwDqz1g42NT1EWTfBjGdkg/+bMc++NEOY43dUWx+b2yPSdTE= =p3gJ -----END PGP SIGNATURE-----
--- End Message ---
