NeoMutt 2020-11-20
In addition to the usual share of bug fixes and enhancements, this release fixes a security vulnerability whereas an early error in communicating with an IMAP server was not properly detected as fatal, resulting in a potential for sensitive information (user, pass) being sent over an untrusted channel.
| % cat parent.xml | |
| <?xml version="1.0" standalone="no"?> | |
| <root xmlns:xi="http://www.w3.org/2001/XInclude"> | |
| <xi:include parse="text" href="text.txt"/> | |
| </root> | |
| % cat text.txt | |
| Here's some free text | |
| % xmllint --xinclude parent.xml |
| diff --git a/imap/msn.c b/imap/msn.c | |
| index cd8a8ef17..3e53a4a21 100644 | |
| --- a/imap/msn.c | |
| +++ b/imap/msn.c | |
| @@ -58,6 +58,11 @@ void imap_msn_reserve(struct MSN *msn, size_t num) | |
| */ | |
| void imap_msn_free(struct MSN *msn) | |
| { | |
| + struct Email **ep = NULL; | |
| + ARRAY_FOREACH(ep, msn) |
| source "~/.config/neomutt/set_private|" | |
| set imap_check_subscribed = yes | |
| set imap_authenticators = plain | |
| set imap_qresync = no | |
| set imap_condstore = no | |
| account-hook 'imaps://imap.gmail.com/' "\ | |
| set imap_user=$my_gmail_user ; \ | |
| set imap_login=$my_gmail_user ; \ |
| diff --git a/imap/command.c b/imap/command.c | |
| index a6bf3de1a..996a76d5e 100644 | |
| --- a/imap/command.c | |
| +++ b/imap/command.c | |
| @@ -186,6 +186,10 @@ static void cmd_handle_fatal(struct ImapAccountData *adata) | |
| mutt_clear_error(); | |
| adata->recovering = false; | |
| } | |
| + else | |
| + { |
| static void set_copy_flags(struct Email *e, bool decode, bool decrypt, | |
| CopyMessageFlags *cmflags, CopyHeaderFlags *chflags) | |
| { | |
| *cmflags = MUTT_CM_NO_FLAGS; | |
| *chflags = CH_UPDATE_LEN; | |
| assert(!(decode & decrypt)); | |
| const bool needs_decrypt = decrypt && (e->security & SEC_ENCRYPT); | |
| const bool want_pgp = WithCrypto & APPLICATION_PGP; |
| ==89336==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000001ac0 at pc 0x0000003e3e23 bp 0x7fffffff4ab0 sp 0x7fffffff4aa8 | |
| READ of size 8 at 0x612000001ac0 thread T0 | |
| #0 0x3e3e22 in ctx_free /usr/home/gahr/github/neomutt/context.c:60:42 | |
| #1 0x53d7b3 in change_folder_mailbox /usr/home/gahr/github/neomutt/index/index.c:691:7 | |
| #2 0x53e94d in change_folder_string /usr/home/gahr/github/neomutt/index/index.c:841:3 | |
| #3 0x522c68 in mutt_index_menu /usr/home/gahr/github/neomutt/index/index.c:2547:11 | |
| #4 0x464702 in main /usr/home/gahr/github/neomutt/main.c:1259:11 | |
| #5 0x3260ff in _start /usr/src/lib/csu/amd64/crt1.c:76:7 | |
| 0x612000001ac0 is located 256 bytes inside of 272-byte region [0x6120000019c0,0x612000001ad0) |
| ================================================================= | |
| ==22812==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000f78 at pc 0x0000005f08f8 bp 0x7fffffffc720 sp 0x7fffffffc718 | |
| READ of size 8 at 0x60e000000f78 thread T0 | |
| #0 0x5f08f7 in window_get_focus /usr/home/gahr/github/neomutt/gui/mutt_window.c:775:22 | |
| #1 0x5f0874 in window_is_focused /usr/home/gahr/github/neomutt/gui/mutt_window.c:762:34 | |
| #2 0x5ea424 in msgwin_recalc /usr/home/gahr/github/neomutt/gui/msgwin.c:55:7 | |
| #3 0x5f0532 in window_recalc /usr/home/gahr/github/neomutt/gui/mutt_window.c:705:5 | |
| #4 0x5f0416 in window_redraw /usr/home/gahr/github/neomutt/gui/mutt_window.c:747:3 | |
| #5 0x5ead6b in msgwin_set_text /usr/home/gahr/github/neomutt/gui/msgwin.c:183:3 | |
| #6 0x49112c in log_disp_curses /usr/home/gahr/github/neomutt/mutt_logging.c:191:5 |
| #0 0x0000000000846086 in mutt_mem_free (ptr=0x10) at mutt/memory.c:73 | |
| #1 0x00000000006f6c48 in imap_edata_free (ptr=0x7fffffff4a70) at imap/edata.c:42 | |
| #2 0x00000000006e7415 in read_headers_fetch_new (m=0x6120000022c0, msn_begin=1, msn_end=12469, evalhc=true, maxuid=0x7fffffff5100, initial_download=true) at imap/message.c:1243 | |
| #3 0x00000000006dee99 in imap_read_headers (m=0x6120000022c0, msn_begin=1, msn_end=12469, initial_download=true) at imap/message.c:1423 | |
| #4 0x00000000006da6f2 in imap_mbox_open (m=0x6120000022c0) at imap/imap.c:2117 | |
| #5 0x00000000004aacf1 in mx_mbox_open (m=0x6120000022c0, flags=0 '\000') at mx.c:388 | |
| #6 0x000000000051dd9d in change_folder_mailbox (menu=0x610000000640, m=0x6120000022c0, oldcount=0x60600000d284, shared=0x60600000d220, read_only=false) at index/index.c:747 | |
| #7 0x000000000051e78e in change_folder_string (menu=0x610000000640, buf=0x619000006e80 "imaps://[email protected]@ptrcrt.ch/", buflen=1024, oldcount=0x60600000d284, shared=0x60600000d220, pager_return=0x7fffffff8cc0, rea |
| ==48869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001535a at pc 0x00000054e924 bp 0x7fffffff06f0 sp 0x7fffffff06e8 | |
| READ of size 2 at 0x61d00001535a thread T0 | |
| #0 0x54e923 in display_line /usr/home/gahr/github/neomutt/pager/dlg_pager.c:1904:64 | |
| #1 0x54835b in pager_custom_redraw /usr/home/gahr/github/neomutt/pager/dlg_pager.c:2143:13 | |
| #2 0x531d36 in mutt_pager /usr/home/gahr/github/neomutt/pager/dlg_pager.c:2522:5 | |
| #3 0x3cf8ec in mutt_display_message /usr/home/gahr/github/neomutt/commands.c:394:10 | |
| #4 0x50d1d3 in mutt_index_menu /usr/home/gahr/github/neomutt/index/dlg_index.c:2663:14 | |
| #5 0x46f2e9 in main /usr/home/gahr/github/neomutt/main.c:1258:7 | |
| 0x61d00001535a is located 10 bytes to the right of 2256-byte region [0x61d000014a80,0x61d000015350) |
