Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] mutt: apply patch for CVE-2020-28896 #104583

Merged
merged 1 commit into from
Nov 22, 2020
Merged

[20.03] mutt: apply patch for CVE-2020-28896 #104583

merged 1 commit into from
Nov 22, 2020

Conversation

stigtsp
Copy link
Member

@stigtsp stigtsp commented Nov 22, 2020
edited
Loading

Motivation for this change

mutt has improper handling of broken IMAP connections, this could result
in authentication credentials being sent over an unencrypted connection,
without $ssl_force_tls being consulted.

https://security.archlinux.org/CVE-2020-28896
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Tested using a basic imaps connection OK

Result of nixpkgs-review pr 104583 1

2 packages built:
  • grepm
  • mutt (mutt-with-sidebar)

@stigtsp
mutt: apply patch for CVE-2020-28896
4586b2f 
mutt has improper handling of broken IMAP connections, this could result
in authentication credentials being sent over an unencrypted connection,
without $ssl_force_tls being consulted.

https://security.archlinux.org/CVE-2020-28896
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
@mweinelt
Copy link
Member

Please cherry-pick this change according to https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md from release-20.09.

@stigtsp
Copy link
Member Author

stigtsp commented Nov 22, 2020
edited
Loading

Please cherry-pick this change according to https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md from release-20.09.

The commit in 23db21e (from #104584) was cherry picked from the commit in this PR 4586b2f. Wouldn't that break the reference in 23db21e? I'm not quite sure how to proceed :)

@mweinelt
Copy link
Member

mweinelt commented Nov 22, 2020
edited
Loading

I apparently missed this, but 4586b2f is not pointing to any commit in nixpkgs, so the reference isn't very helpful.

If 23db21e was originally only commited to release-20.09, then the backport to release-20.03 IMO should originate from there.

@stigtsp
Copy link
Member Author

stigtsp commented Nov 22, 2020

I apparently missed this, but 4586b2f is not pointing to any commit in nixpkgs, so the reference isn't very helpful.
If 23db21e was originally only commited to release-20.09, then it the backport to release-20.03 IMO should originate from there.

If this PR (which contains 4586b2f) is merged into nixpkgs, then the reference from 23db21e to 4586b2f would resolve?

I agree that it would probably be best to port from 20.09 to 20.03, and not from 20.03 to 20.09. Sorry about that.

@mweinelt
Copy link
Member

Oh boy, yes. Now I see. Nothing that can be done about that now.

@mweinelt mweinelt merged commit 5a9e4f0 into NixOS:release-20.03 Nov 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rnhmjoj rnhmjoj Awaiting requested review from rnhmjoj

@Ma27 Ma27 Awaiting requested review from Ma27

@mweinelt mweinelt Awaiting requested review from mweinelt

Assignees
No one assigned
Labels
1.severity: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stigtsp @mweinelt