group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1794278] Re: Security patches not applied to xenial mutt

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Wed, 26 Sep 2018 20:57:40 -0000
Reply-to: Bug 1794278 <1794278@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I've uploaded a corrected version of mutt to the ubuntu-security-
proposed ppa at https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages and will release it to xenial-
security after testing. Please report any feedback you have here.

Thanks again for the report!

** Information type changed from Private Security to Public Security

** Also affects: mutt (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: mutt (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: mutt (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: mutt (Ubuntu Xenial)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: mutt (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1794278

Title:
  Security patches not applied to xenial mutt

Status in mutt package in Ubuntu:
  Fix Released
Status in mutt source package in Xenial:
  Triaged

Bug description:
  Hi,

  The version of mutt in 16.04 LTS (1.5.24-1ubuntu0.1) seems to be
  missing all ubuntu supplied security patches. In particular, the
  following list:

  ubuntu/mutt-CVE-2018-14349.patch
  ubuntu/mutt-CVE-2018-14350-CVE-2018-14358.patch
  ubuntu/mutt-CVE-2018-14351.patch
  ubuntu/mutt-CVE-2018-14352-CVE-2018-14353.patch
  ubuntu/mutt-CVE-2018-14354-CVE-2018-14357.patch
  ubuntu/mutt-CVE-2018-14355.patch
  ubuntu/mutt-CVE-2018-14356.patch
  ubuntu/mutt-CVE-2018-14359.patch
  ubuntu/mutt-CVE-2018-14362.patch

  ...is NOT applied to the standard mutt version, only to the "enhanced"
  version.

  Output of mutt -v shows the list of applied patches (see bottom):

  Mutt 1.5.24 (2015-08-30)
  Copyright (C) 1996-2009 Michael R. Elkins and others.
  Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
  Mutt is free software, and you are welcome to redistribute it
  under certain conditions; type `mutt -vv' for details.

  System: Linux 4.15.0-35-generic (x86_64)
  ncurses: ncurses 6.0.20160213 (compiled with 6.0)
  libidn: 1.32 (compiled with 1.32)
  hcache backend: tokyocabinet 1.4.48

  Compiler:
  Using built-in specs.
  COLLECT_GCC=gcc
  COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
  Target: x86_64-linux-gnu
  Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.10' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
  Thread model: posix
  gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) 

  Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--
  mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with-
  mailpath=/var/mail' '--disable-dependency-tracking' '--enable-
  compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache'
  '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop'
  '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-
  mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-
  qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu'
  'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-
  security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
  'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'

  Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror
  =format-security -Wall

  Compile options:
  -DOMAIN
  +DEBUG
  -HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
  +USE_POP  +USE_IMAP  +USE_SMTP  
  -USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
  +HAVE_REGCOMP  -USE_GNU_REGEX  
  +HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
  +HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
  +CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
  -EXACT_ADDRESS  -SUN_ATTACHMENT  
  +ENABLE_NLS  -LOCALES_HACK  +COMPRESSED  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR  
  +HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  +USE_HCACHE  
  -ISPELL
  SENDMAIL="/usr/sbin/sendmail"
  MAILPATH="/var/mail"
  PKGDATADIR="/usr/share/mutt"
  SYSCONFDIR="/etc"
  EXECSHELL="/bin/sh"
  MIXMASTER="mixmaster"
  To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
  To report a bug, please visit http://bugs.mutt.org/.

  misc/am-maintainer-mode.patch
  features/ifdef.patch
  features/trash-folder.patch
  features/purge-message.patch
  features/imap_fast_trash.patch
  features/sensible_browser_position.patch
  features/compressed-folders.patch
  features/compressed-folders.debian.patch
  debian-specific/Muttrc.patch
  debian-specific/Md.etc_mailname_gethostbyname.patch
  debian-specific/use_usr_bin_editor.patch
  debian-specific/correct_docdir_in_man_page.patch
  debian-specific/dont_document_not_present_features.patch
  debian-specific/document_debian_defaults.patch
  debian-specific/assumed_charset-compat.patch
  debian-specific/467432-write_bcc.patch
  debian-specific/566076-build_doc_adjustments.patch
  misc/define-pgp_getkeys_command.patch
  misc/gpg.rc-paths.patch
  misc/smime.rc.patch
  misc/fix-configure-test-operator.patch
  upstream/531430-imapuser.patch
  upstream/543467-thread-segfault.patch
  upstream/548577-gpgme-1.2.patch
  upstream/553321-ansi-escape-segfault.patch
  upstream/528233-readonly-open.patch
  upstream/228671-pipe-mime.patch
  upstream/383769-score-match.patch
  upstream/603288-split-fetches.patch
  upstream/611410-no-implicit_autoview-for-text-html.patch
  upstream/771125-CVE-2014-9116-jessie.patch
  upstream/path_max.patch
  translations/update_german_translation.patch
  __separator__mutt.org.patch

  It would appear that the maintainer who applied the security patches
  was insufficiently aware of the hack used to generate the normal and
  patched versions of the package.

  cheers,
  Wessel Dankers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mutt/+bug/1794278/+subscriptions