openSUSE Security Update: Security update for neomutt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10020-1 Rating: moderate References: #1184787 #1185705 Cross-References: CVE-2021-32055 CVE-2022-1328 CVSS scores: CVE-2021-32055 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2021-32055 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-1328 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-1328 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for neomutt fixes the following issues: neomutt was updated to 20220429: * Bug Fixes * Do not crash on an invalid use_threads/sort combination * Fix: stuck browser cursor * Resolve (move) the cursor after <edit-label> * Index: fix menu size on new mail * Don't overlimit LMDB mmap size * OpenBSD y/n translation fix * Generic: split out OP_EXIT binding * Fix parsing of sendmail cmd * Fix: crash with menu_move_off=no * Newsrc: bugfix; nntp_user and nntp_pass ignored * Menu: ensure config changes cause a repaint * Mbox: fix sync duplicates * Make sure the index redraws all that's needed * Translations * 100% Chinese (Simplified) * 100% Czech * 100% German * 100% Hungarian * 100% Lithuanian * 100% Serbian * 100% Turkish * Docs * add missing pattern modifier ~I for external_search_command * Code * menu: eliminate custom_redraw() * modernise mixmaster * Kill global and Propagate display attach status through State- neomutt was updated to 20220415: * Security * Fix uudecode buffer overflow (CVE-2022-1328) * Features * Colours, colours, colours * Bug Fixes * Pager: fix pager_stop * Merge colours with normal * Color: disable mono command * Fix forwarding text attachments when honor_disposition is set * Pager: drop the nntp change-group bindings * Use mailbox_check flags coherently, add IMMEDIATE flag * Fix: tagging in attachment list * Fix: misalignment of mini-index * Make sure to update the menu size after a resort * Translations * 100% Hungarian * Build * Update acutest * Code * Unify pipe functions * Index: notify if navigation fails * Gui: set colour to be merged with normal * Fix: leak in tls_check_one_certificate() * Upstream * Flush iconv() in mutt_convert_string() * Fix integer overflow in mutt_convert_string() * Fix uudecode cleanup on unexpected eof update to 20220408: * Compose multipart emails * Fix screen mode after attempting decryption * imap: increase max size of oauth2 token * Fix autocrypt * Unify Alias/Query workflow * Fix colours * Say which file exists when saving attachments * Force SMTP authentication if `smtp_user` is set * Fix selecting the right email after limiting * Make sure we have enough memory for a new email * Don't overwrite with zeroes after unlinking the file * Fix crash when forwarding attachments * Fix help reformatting on window resize * Fix poll to use PollFdsCount and not PollFdsLen * regex: range check arrays strictly * Fix Coverity defects * Fix out of bounds write with long log lines * Apply `fast_reply` to 'to', 'cc', or 'bcc' * Prevent warning on empty emails * New default: `set rfc2047_parameters = yes` * 100% German * 100% Lithuanian * 100% Serbian * 100% Czech * 100% Turkish * 72% Hungarian * Improve header cache explanation * Improve description of some notmuch variables * Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()` * Document config synonyms and deprecations * Create lots of GitHub Actions * Drop TravisCI * Add automated Fuzzing tests * Add automated ASAN tests * Create Dockers for building Centos/Fedora * Build fixes for Solaris 10 * New libraries: browser, enter, envelope * New configure options: `--fuzzing` `--debug-color` `--debug-queue` * Split Index/Pager GUIs/functions * Add lots of function dispatchers * Eliminate `menu_loop()` * Refactor function opcodes * Refactor cursor setting * Unify Alias/Query functions * Refactor Compose/Envelope functions * Modernise the Colour handling * Refactor the Attachment View * Eliminate the global `Context` * Upgrade `mutt_get_field()` * Refactor the `color quoted` code * Fix lots of memory leaks * Refactor Index resolve code * Refactor PatternList parsing * Refactor Mailbox freeing * Improve key mapping * Factor out charset hooks * Expose mutt_file_seek API * Improve API of `strto*` wrappers * imap QRESYNC fixes * Allow an empty To: address prompt * Fix argc==0 handling * Don't queue IMAP close commands * Fix IMAP UTF-7 for code points >= U+10000 * Don't include inactive messages in msgset generation update to 20211029 (boo#1185705, CVE-2021-32055): * Notmuch: support separate database and mail roots without .notmuch * fix notmuch crash on open failure * fix crypto crash handling pgp keys * fix ncrypt/pgp file_get_size return check * fix restore case-insensitive header sort * fix pager redrawing of long lines * fix notmuch: check database dir for xapian dir * fix notmuch: update index count after <entire-thread> * fix protect hash table against empty keys * fix prevent real_subj being set but empty * fix leak when saving fcc * fix leak after <edit-or-view-raw-message> * fix leak after trash to hidden mailbox * fix leak restoring postponed emails * fix new mail notifications * fix pattern compilation error for ( !>(~P) ) * fix menu display on window resize * Stop batch mode emails with no argument or recipients * Add sanitize call in print mailcap function * fix hdr_order to use the longest match * fix (un)setenv to not return an error with unset env vars * fix Imap sync when closing a mailbox * fix segfault on OpenBSD current * sidebar: restore sidebar_spoolfile colour * fix assert when displaying a file from the browser * fix exec command in compose * fix check_stats for Notmuch mailboxes * Fallback: Open Notmuch database without config * fix gui hook commands on startup * threads: implement the $use_threads feature * https://neomutt.org/feature/use-threads * hooks: allow a -noregex param to folder and mbox hooks * mailing lists: implement list-(un)subscribe using RFC2369 headers * mailcap: implement x-neomutt-nowrap flag * pager: add $local_date_header option * imap, smtp: add support for authenticating using XOAUTH2 * Allow <sync-mailbox> to fail quietly * imap: speed up server-side searches * pager: improve skip-quoted and skip-headers * notmuch: open database with user's configuration * notmuch: implement <vfolder-window-reset> * config: allow += modification of my_ variables * notmuch: tolerate file renames behind neomutt's back * pager: implement $pager_read_delay * notmuch: validate nm_query_window_timebase * notmuch: make $nm_record work in non-notmuch mailboxes * compose: add $greeting - a welcome message on top of emails * notmuch: show additional mail in query windows * imap: fix crash on external IMAP events * notmuch: handle missing libnotmuch version bumps * imap: add sanity check for qresync * notmuch: allow windows with 0 duration * index: fix index selection on <collapse-all> * imap: fix crash when sync'ing labels * search: fix searching by Message-Id in <mark-message> * threads: fix double sorting of threads * stats: don't check mailbox stats unless told * alias: fix crash on empty query * pager: honor mid-message config changes * mailbox: don't propagate read-only state across reopens * hcache: fix caching new labels in the header cache * crypto: set invalidity flags for gpgme/smime keys * notmuch: fix parsing of multiple type= * notmuch: validate $nm_default_url * messages: avoid unnecessary opening of messages * imap: fix seqset iterator when it ends in a comma * build: refuse to build without pcre2 when pcre2 is linked in ncurses Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10020=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64): neomutt-20220429-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (noarch): neomutt-doc-20220429-bp154.2.3.1 neomutt-lang-20220429-bp154.2.3.1 References: https://www.suse.com/security/cve/CVE-2021-32055.html https://www.suse.com/security/cve/CVE-2022-1328.html https://bugzilla.suse.com/1184787 https://bugzilla.suse.com/1185705