Hello Mutt Users,I've just released version 2.2.3. Instructions for downloading are available at <http://www.mutt.org/download.html>, or the tarball can be directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take the time to verify the signature file against my public key[1].
This is a bug-fix release, addressing CVE-2022-1328: a buffer overread in the uuencoded decoder routine. For more details please see GitLab ticket 404: <https://gitlab.com/muttmua/mutt/-/issues/404>. The commit fixing this issue is at <https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5>
Also fixed were a possible integer overflow issue in the general iconv and rfc2047-conversion iconv functions. These are not believed to be exploitable.
A huge thank you to Tavis Ormandy for reporting these issues, suggesting a patch for the iconv issue, helping test, and providing constructive feedback. Hurray for the white-hats!
-Kevin [1] My public key is available at: - my personal website: https://www.8t8.us/configs/80316BDA.asc.pubkey - the mutt website: http://www.mutt.org/keys/kevin.key - The keys.openpgp.org network https://keys.openpgp.org/vks/v1/by-fingerprint/8975A9B33AA37910385C5308ADEF768480316BDA
signature.asc
Description: PGP signature
