Security update for neomutt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10020-1 Final 1 1 2022-06-21T12:01:18Z current 2022-06-21T12:01:18Z 2022-06-21T12:01:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for neomutt This update for neomutt fixes the following issues: neomutt was updated to 20220429: * Bug Fixes * Do not crash on an invalid use_threads/sort combination * Fix: stuck browser cursor * Resolve (move) the cursor after <edit-label> * Index: fix menu size on new mail * Don't overlimit LMDB mmap size * OpenBSD y/n translation fix * Generic: split out OP_EXIT binding * Fix parsing of sendmail cmd * Fix: crash with menu_move_off=no * Newsrc: bugfix; nntp_user and nntp_pass ignored * Menu: ensure config changes cause a repaint * Mbox: fix sync duplicates * Make sure the index redraws all that's needed * Translations * 100% Chinese (Simplified) * 100% Czech * 100% German * 100% Hungarian * 100% Lithuanian * 100% Serbian * 100% Turkish * Docs * add missing pattern modifier ~I for external_search_command * Code * menu: eliminate custom_redraw() * modernise mixmaster * Kill global and Propagate display attach status through State- neomutt was updated to 20220415: * Security * Fix uudecode buffer overflow (CVE-2022-1328) * Features * Colours, colours, colours * Bug Fixes * Pager: fix pager_stop * Merge colours with normal * Color: disable mono command * Fix forwarding text attachments when honor_disposition is set * Pager: drop the nntp change-group bindings * Use mailbox_check flags coherently, add IMMEDIATE flag * Fix: tagging in attachment list * Fix: misalignment of mini-index * Make sure to update the menu size after a resort * Translations * 100% Hungarian * Build * Update acutest * Code * Unify pipe functions * Index: notify if navigation fails * Gui: set colour to be merged with normal * Fix: leak in tls_check_one_certificate() * Upstream * Flush iconv() in mutt_convert_string() * Fix integer overflow in mutt_convert_string() * Fix uudecode cleanup on unexpected eof update to 20220408: * Compose multipart emails * Fix screen mode after attempting decryption * imap: increase max size of oauth2 token * Fix autocrypt * Unify Alias/Query workflow * Fix colours * Say which file exists when saving attachments * Force SMTP authentication if `smtp_user` is set * Fix selecting the right email after limiting * Make sure we have enough memory for a new email * Don't overwrite with zeroes after unlinking the file * Fix crash when forwarding attachments * Fix help reformatting on window resize * Fix poll to use PollFdsCount and not PollFdsLen * regex: range check arrays strictly * Fix Coverity defects * Fix out of bounds write with long log lines * Apply `fast_reply` to 'to', 'cc', or 'bcc' * Prevent warning on empty emails * New default: `set rfc2047_parameters = yes` * 100% German * 100% Lithuanian * 100% Serbian * 100% Czech * 100% Turkish * 72% Hungarian * Improve header cache explanation * Improve description of some notmuch variables * Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()` * Document config synonyms and deprecations * Create lots of GitHub Actions * Drop TravisCI * Add automated Fuzzing tests * Add automated ASAN tests * Create Dockers for building Centos/Fedora * Build fixes for Solaris 10 * New libraries: browser, enter, envelope * New configure options: `--fuzzing` `--debug-color` `--debug-queue` * Split Index/Pager GUIs/functions * Add lots of function dispatchers * Eliminate `menu_loop()` * Refactor function opcodes * Refactor cursor setting * Unify Alias/Query functions * Refactor Compose/Envelope functions * Modernise the Colour handling * Refactor the Attachment View * Eliminate the global `Context` * Upgrade `mutt_get_field()` * Refactor the `color quoted` code * Fix lots of memory leaks * Refactor Index resolve code * Refactor PatternList parsing * Refactor Mailbox freeing * Improve key mapping * Factor out charset hooks * Expose mutt_file_seek API * Improve API of `strto*` wrappers * imap QRESYNC fixes * Allow an empty To: address prompt * Fix argc==0 handling * Don't queue IMAP close commands * Fix IMAP UTF-7 for code points >= U+10000 * Don't include inactive messages in msgset generation update to 20211029 (boo#1185705, CVE-2021-32055): * Notmuch: support separate database and mail roots without .notmuch * fix notmuch crash on open failure * fix crypto crash handling pgp keys * fix ncrypt/pgp file_get_size return check * fix restore case-insensitive header sort * fix pager redrawing of long lines * fix notmuch: check database dir for xapian dir * fix notmuch: update index count after <entire-thread> * fix protect hash table against empty keys * fix prevent real_subj being set but empty * fix leak when saving fcc * fix leak after <edit-or-view-raw-message> * fix leak after trash to hidden mailbox * fix leak restoring postponed emails * fix new mail notifications * fix pattern compilation error for ( !>(~P) ) * fix menu display on window resize * Stop batch mode emails with no argument or recipients * Add sanitize call in print mailcap function * fix hdr_order to use the longest match * fix (un)setenv to not return an error with unset env vars * fix Imap sync when closing a mailbox * fix segfault on OpenBSD current * sidebar: restore sidebar_spoolfile colour * fix assert when displaying a file from the browser * fix exec command in compose * fix check_stats for Notmuch mailboxes * Fallback: Open Notmuch database without config * fix gui hook commands on startup * threads: implement the $use_threads feature * https://neomutt.org/feature/use-threads * hooks: allow a -noregex param to folder and mbox hooks * mailing lists: implement list-(un)subscribe using RFC2369 headers * mailcap: implement x-neomutt-nowrap flag * pager: add $local_date_header option * imap, smtp: add support for authenticating using XOAUTH2 * Allow <sync-mailbox> to fail quietly * imap: speed up server-side searches * pager: improve skip-quoted and skip-headers * notmuch: open database with user's configuration * notmuch: implement <vfolder-window-reset> * config: allow += modification of my_ variables * notmuch: tolerate file renames behind neomutt's back * pager: implement $pager_read_delay * notmuch: validate nm_query_window_timebase * notmuch: make $nm_record work in non-notmuch mailboxes * compose: add $greeting - a welcome message on top of emails * notmuch: show additional mail in query windows * imap: fix crash on external IMAP events * notmuch: handle missing libnotmuch version bumps * imap: add sanity check for qresync * notmuch: allow windows with 0 duration * index: fix index selection on <collapse-all> * imap: fix crash when sync'ing labels * search: fix searching by Message-Id in <mark-message> * threads: fix double sorting of threads * stats: don't check mailbox stats unless told * alias: fix crash on empty query * pager: honor mid-message config changes * mailbox: don't propagate read-only state across reopens * hcache: fix caching new labels in the header cache * crypto: set invalidity flags for gpgme/smime keys * notmuch: fix parsing of multiple type= * notmuch: validate $nm_default_url * messages: avoid unnecessary opening of messages * imap: fix seqset iterator when it ends in a comma * build: refuse to build without pcre2 when pcre2 is linked in ncurses The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10020 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAIJ2AOB7KV4ZEDS2ZHBBCKGSPYKSKDI/ E-Mail link for openSUSE-SU-2022:10020-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184787 SUSE Bug 1184787 https://bugzilla.suse.com/1185705 SUSE Bug 1185705 https://www.suse.com/security/cve/CVE-2021-32055/ SUSE CVE CVE-2021-32055 page https://www.suse.com/security/cve/CVE-2022-1328/ SUSE CVE CVE-2022-1328 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 neomutt-20220429-bp154.2.3.1 neomutt-doc-20220429-bp154.2.3.1 neomutt-lang-20220429-bp154.2.3.1 neomutt-20220429-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 neomutt-doc-20220429-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 neomutt-lang-20220429-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 neomutt-20220429-bp154.2.3.1 as a component of openSUSE Leap 15.4 neomutt-doc-20220429-bp154.2.3.1 as a component of openSUSE Leap 15.4 neomutt-lang-20220429-bp154.2.3.1 as a component of openSUSE Leap 15.4 Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default. CVE-2021-32055 SUSE Package Hub 15 SP4:neomutt-20220429-bp154.2.3.1 SUSE Package Hub 15 SP4:neomutt-doc-20220429-bp154.2.3.1 SUSE Package Hub 15 SP4:neomutt-lang-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-doc-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-lang-20220429-bp154.2.3.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAIJ2AOB7KV4ZEDS2ZHBBCKGSPYKSKDI/ https://www.suse.com/security/cve/CVE-2021-32055.html CVE-2021-32055 https://bugzilla.suse.com/1185705 SUSE Bug 1185705 Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line CVE-2022-1328 SUSE Package Hub 15 SP4:neomutt-20220429-bp154.2.3.1 SUSE Package Hub 15 SP4:neomutt-doc-20220429-bp154.2.3.1 SUSE Package Hub 15 SP4:neomutt-lang-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-doc-20220429-bp154.2.3.1 openSUSE Leap 15.4:neomutt-lang-20220429-bp154.2.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAIJ2AOB7KV4ZEDS2ZHBBCKGSPYKSKDI/ https://www.suse.com/security/cve/CVE-2022-1328.html CVE-2022-1328 https://bugzilla.suse.com/1198518 SUSE Bug 1198518