Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] This is a fix for CVE-2020-28896, discussed with two members of the security team (Moritz Muehlenhoff and Salvatore Bonaccorso) whether to do a DSA, in the end it was decided, given that this requires a malicious server, to add it to the next point release, which is happening soon. [ Impact ] Same as the CVE, a malicious server could force the client to send the credential over an unencrypted connection. [ Tests ] (What automated or manual tests cover the affected code?) [ Risks ] See impact. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] A two line patch provided by the maintainer and checked by myself, already in unstable. [ Other info ] Security team is aware, I've already done the upload to shorten your review time. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog --- mutt-1.10.1/debian/changelog 2020-07-02 16:45:23.000000000 +0200 +++ mutt-1.10.1/debian/changelog 2020-11-23 09:26:09.000000000 +0100 @@ -1,3 +1,10 @@ +mutt (1.10.1-2.1+deb10u4) buster; urgency=medium + + * debian/patches: + + fix for CVE-2020-28896 located in security/CVE-2020-28896.patch. + + -- Antonio Radici <anto...@debian.org> Mon, 23 Nov 2020 09:26:09 +0100 + mutt (1.10.1-2.1+deb10u3) buster; urgency=medium * debian/patches: diff -Nru mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch --- mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch 2020-11-23 09:26:09.000000000 +0100 @@ -0,0 +1,39 @@ +From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy <ke...@8t8.us> +Date: Mon, 16 Nov 2020 10:20:21 -0800 +Subject: [PATCH] Ensure IMAP connection is closed after a connection error. + +During connection, if the server provided an illegal initial response, +Mutt "bailed", but did not actually close the connection. The calling +code unfortunately relied on the connection status to decide to +continue with authentication, instead of checking the "bail" return +value. + +This could result in authentication credentials being sent over an +unencrypted connection, without $ssl_force_tls being consulted. + +Fix this by strictly closing the connection on any invalid response +during connection. The fix is intentionally small, to ease +backporting. A better fix would include removing the 'err_close_conn' +label, and perhaps adding return value checking in the caller (though +this change obviates the need for that). + +This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for +reporting the problem, and providing test cases to reproduce. +--- + imap/imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/imap/imap.c ++++ b/imap/imap.c +@@ -524,9 +524,9 @@ + + #if defined(USE_SSL) + err_close_conn: +- imap_close_connection (idata); + #endif + bail: ++ imap_close_connection (idata); + FREE (&idata->capstr); + return -1; + } diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series --- mutt-1.10.1/debian/patches/series 2020-07-02 16:44:08.000000000 +0200 +++ mutt-1.10.1/debian/patches/series 2020-11-23 09:24:54.000000000 +0100 @@ -16,4 +16,5 @@ security/CVE-2020-14093.patch security/CVE-2020-14154.patch security/CVE-not-yet-released.patch +security/CVE-2020-28896.patch upstream/imap-preauth-and-ssh-tunnel.patch