Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.03] mutt: apply patch for CVE-2020-28896 #104583

Conversation

@stigtsp
Copy link
Member

@stigtsp stigtsp commented Nov 22, 2020

Motivation for this change

mutt has improper handling of broken IMAP connections, this could result
in authentication credentials being sent over an unencrypted connection,
without $ssl_force_tls being consulted.

https://security.archlinux.org/CVE-2020-28896
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Tested using a basic imaps connection OK

Result of nixpkgs-review pr 104583 1

2 packages built:
  • grepm
  • mutt (mutt-with-sidebar)
mutt has improper handling of broken IMAP connections, this could result
in authentication credentials being sent over an unencrypted connection,
without $ssl_force_tls being consulted.

https://security.archlinux.org/CVE-2020-28896
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
@stigtsp stigtsp requested review from rnhmjoj, Ma27 and mweinelt Nov 22, 2020
@mweinelt
Copy link
Member

@mweinelt mweinelt commented Nov 22, 2020

Please cherry-pick this change according to https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md from release-20.09.

@stigtsp
Copy link
Member Author

@stigtsp stigtsp commented Nov 22, 2020

Please cherry-pick this change according to https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md from release-20.09.

The commit in 23db21e (from #104584) was cherry picked from the commit in this PR 4586b2f. Wouldn't that break the reference in 23db21e? I'm not quite sure how to proceed :)

@mweinelt
Copy link
Member

@mweinelt mweinelt commented Nov 22, 2020

I apparently missed this, but 4586b2f is not pointing to any commit in nixpkgs, so the reference isn't very helpful.

If 23db21e was originally only commited to release-20.09, then the backport to release-20.03 IMO should originate from there.

@stigtsp
Copy link
Member Author

@stigtsp stigtsp commented Nov 22, 2020

I apparently missed this, but 4586b2f is not pointing to any commit in nixpkgs, so the reference isn't very helpful.
If 23db21e was originally only commited to release-20.09, then it the backport to release-20.03 IMO should originate from there.

If this PR (which contains 4586b2f) is merged into nixpkgs, then the reference from 23db21e to 4586b2f would resolve?

I agree that it would probably be best to port from 20.09 to 20.03, and not from 20.03 to 20.09. Sorry about that.

@mweinelt
Copy link
Member

@mweinelt mweinelt commented Nov 22, 2020

Oh boy, yes. Now I see. Nothing that can be done about that now.

@mweinelt mweinelt merged commit 5a9e4f0 into NixOS:release-20.03 Nov 22, 2020
2 of 4 checks passed
2 of 4 checks passed
grahamcofborg-eval Complete, with errors
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.