group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1794278] Re: Security patches not applied to xenial mutt

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1794278@xxxxxxxxxxxxxxxxxx>
Date: Thu, 27 Sep 2018 23:47:42 -0000
Reply-to: Bug 1794278 <1794278@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package mutt - 1.5.24-1ubuntu0.2

---------------
mutt (1.5.24-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: apply all fixes to both mutt and mutt-patched
    - debian/patches/series: re-order patch application (LP: #1794278)

 -- Steve Beattie <sbeattie@xxxxxxxxxx>  Wed, 26 Sep 2018 12:43:56 -0700

** Changed in: mutt (Ubuntu Xenial)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1794278

Title:
  Security patches not applied to xenial mutt

Status in mutt package in Ubuntu:
  Fix Released
Status in mutt source package in Xenial:
  Fix Released

Bug description:
  Hi,

  The version of mutt in 16.04 LTS (1.5.24-1ubuntu0.1) seems to be
  missing all ubuntu supplied security patches. In particular, the
  following list:

  ubuntu/mutt-CVE-2018-14349.patch
  ubuntu/mutt-CVE-2018-14350-CVE-2018-14358.patch
  ubuntu/mutt-CVE-2018-14351.patch
  ubuntu/mutt-CVE-2018-14352-CVE-2018-14353.patch
  ubuntu/mutt-CVE-2018-14354-CVE-2018-14357.patch
  ubuntu/mutt-CVE-2018-14355.patch
  ubuntu/mutt-CVE-2018-14356.patch
  ubuntu/mutt-CVE-2018-14359.patch
  ubuntu/mutt-CVE-2018-14362.patch

  ...is NOT applied to the standard mutt version, only to the "enhanced"
  version.

  Output of mutt -v shows the list of applied patches (see bottom):

  Mutt 1.5.24 (2015-08-30)
  Copyright (C) 1996-2009 Michael R. Elkins and others.
  Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
  Mutt is free software, and you are welcome to redistribute it
  under certain conditions; type `mutt -vv' for details.

  System: Linux 4.15.0-35-generic (x86_64)
  ncurses: ncurses 6.0.20160213 (compiled with 6.0)
  libidn: 1.32 (compiled with 1.32)
  hcache backend: tokyocabinet 1.4.48

  Compiler:
  Using built-in specs.
  COLLECT_GCC=gcc
  COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
  Target: x86_64-linux-gnu
  Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.10' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
  Thread model: posix
  gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) 

  Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--
  mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with-
  mailpath=/var/mail' '--disable-dependency-tracking' '--enable-
  compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache'
  '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop'
  '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-
  mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-
  qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu'
  'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-
  security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
  'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'

  Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror
  =format-security -Wall

  Compile options:
  -DOMAIN
  +DEBUG
  -HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
  +USE_POP  +USE_IMAP  +USE_SMTP  
  -USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
  +HAVE_REGCOMP  -USE_GNU_REGEX  
  +HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
  +HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
  +CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
  -EXACT_ADDRESS  -SUN_ATTACHMENT  
  +ENABLE_NLS  -LOCALES_HACK  +COMPRESSED  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR  
  +HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  +USE_HCACHE  
  -ISPELL
  SENDMAIL="/usr/sbin/sendmail"
  MAILPATH="/var/mail"
  PKGDATADIR="/usr/share/mutt"
  SYSCONFDIR="/etc"
  EXECSHELL="/bin/sh"
  MIXMASTER="mixmaster"
  To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
  To report a bug, please visit http://bugs.mutt.org/.

  misc/am-maintainer-mode.patch
  features/ifdef.patch
  features/trash-folder.patch
  features/purge-message.patch
  features/imap_fast_trash.patch
  features/sensible_browser_position.patch
  features/compressed-folders.patch
  features/compressed-folders.debian.patch
  debian-specific/Muttrc.patch
  debian-specific/Md.etc_mailname_gethostbyname.patch
  debian-specific/use_usr_bin_editor.patch
  debian-specific/correct_docdir_in_man_page.patch
  debian-specific/dont_document_not_present_features.patch
  debian-specific/document_debian_defaults.patch
  debian-specific/assumed_charset-compat.patch
  debian-specific/467432-write_bcc.patch
  debian-specific/566076-build_doc_adjustments.patch
  misc/define-pgp_getkeys_command.patch
  misc/gpg.rc-paths.patch
  misc/smime.rc.patch
  misc/fix-configure-test-operator.patch
  upstream/531430-imapuser.patch
  upstream/543467-thread-segfault.patch
  upstream/548577-gpgme-1.2.patch
  upstream/553321-ansi-escape-segfault.patch
  upstream/528233-readonly-open.patch
  upstream/228671-pipe-mime.patch
  upstream/383769-score-match.patch
  upstream/603288-split-fetches.patch
  upstream/611410-no-implicit_autoview-for-text-html.patch
  upstream/771125-CVE-2014-9116-jessie.patch
  upstream/path_max.patch
  translations/update_german_translation.patch
  __separator__mutt.org.patch

  It would appear that the maintainer who applied the security patches
  was insufficiently aware of the hack used to generate the normal and
  patched versions of the package.

  cheers,
  Wessel Dankers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mutt/+bug/1794278/+subscriptions