[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] mutt 2.2.3 released - fixes CVE-2022-1328
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2022-04-14 23:21:52
Message-ID: 3b4692b8-1f75-259a-0608-8511e076a461 () oracle ! com
[Download RAW message or body]
https://marc.info/?l=mutt-users&m=164979464612885&w=2 says:
> From: "Kevin J. McCarthy" <kevin () 8t8 ! us>
> Date: Tue, 12 Apr 2022 20:16:44 +0000
> To: mutt-users
> Subject: mutt 2.2.3 released
>
> Hello Mutt Users,
>
> I've just released version 2.2.3. Instructions for downloading are
> available at <http://www.mutt.org/download.html>, or the tarball can be
> directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take
> the time to verify the signature file against my public key[1].
>
> This is a bug-fix release, addressing CVE-2022-1328: a buffer overread
> in the uuencoded decoder routine. For more details please see GitLab
> ticket 404: <https://gitlab.com/muttmua/mutt/-/issues/404>. The commit
> fixing this issue is at
> <https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5>
>
> Also fixed were a possible integer overflow issue in the general iconv
> and rfc2047-conversion iconv functions. These are not believed to be
> exploitable.
>
> A huge thank you to Tavis Ormandy for reporting these issues, suggesting
> a patch for the iconv issue, helping test, and providing constructive
> feedback. Hurray for the white-hats!
>
> -Kevin
>
> [1]
> My public key is available at:
> - my personal website: https://www.8t8.us/configs/80316BDA.asc.pubkey
> - the mutt website: http://www.mutt.org/keys/kevin.key
> - The keys.openpgp.org network
> https://keys.openpgp.org/vks/v1/by-fingerprint/8975A9B33AA37910385C5308ADEF768480316BDA
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic