NeoMutt Vulnerabilities

[flatcap]

This is a private discussion sent to the "Downstream Packagers" Team.

Over the last couple of weeks, @jeriko-one has been hammering NeoMutt.
So far, he's found 13 vulnerabilities, ranging from stack overflows when reading the config file, to remote execution flaws.

NeoMutt was taking server strings, then running, e.g.

mailboxes RAW-SERVER-STRING

By inserting a pair of `` into those strings, the attacker could run arbitrary commands on the client.

Besides finding the bugs, @jeriko-one also created python scripts, mimicking imap, pop and nntp servers and created patches for most of the problems. Thank you @jeriko-one!

NOTE: These bugs date back to 2005, so almost every version of Mutt and NeoMutt in play is affected.

I'm planning a new release on Friday 13th.

All the patches are fairly small and self-contained, but if anyone needs a hand patching their package, please let me know.

These commits have already been merged:

• 6296f7153 Set length modifiers for group and desc
• 9e927affe Add alloc fail check in nntp_fetch_headers
• 9bfab3552 sanitise cache paths
• e52393740 quote imap strings more carefully
• 95e80bf9f Quote path in imap_subscribe

These will be merged on Friday, before release:

• Truncate pct-encoded strings
• Ensure UID in fetch_uidl
• imap_quote_string make room for quotes
• Check for int underflow in imap_quote_string
• Ensure litlen isn't larger than our mailbox
• Handle NO response without message properly
• Don't overflow stack buffer in msg_parse_fetch
• Selectively cache headers

This is my first time dealing with vulnerabilities, so any advice on how to do it better next time would be appreciated :-)

[l2dy]

Did you or the reporter contact upstream (Mutt)? Will/Have the reporter request(ed) CVEs?

[flatcap]

He's been talking to Kevin too and CVEs are being organised.
(He came to us first :-)

[lbschenkel]

Would you say it is imperative that the patches be incorporated and released downstream now or should we wait for the release on Friday?

[flatcap]

It's been over a decade, I think we can we wait 'til Friday.

The bugs rely on compromising a server that the user connects to.
As such, they're tricky to exploit.

The patches are available here: https://flatcap.org/mutt/cve.mbox

I imagine we're meant to do a coordinated release across all versions and all distros.
Somehow.

[l2dy]

I'm in favor of coordinated release (with Mutt) and thorough testing of the private patches (they are merged in a hurry :-).

The bugs rely on compromising a server that the user connects to.

If the connection is not secure (without TLS), MITM attacks can also exploit this.

[flatcap]

If the connection is not secure (without TLS), MITM attacks can also exploit this.

Good point.

I'm in favor of coordinated release (with Mutt)

We'll see if I hear from Kevin.
He's pushed one fix already, so the cat's out of the bag: neomutt/upstream-mutt@185152818

I'd already pushed some of the earlier fixes before thinking through the consequences.

thorough testing of the private patches

Yes please, comments welcome.
Here's a clearer explanation of the commits:

• [PATCH 01/13] Set length modifiers for group and desc
  Limit scan reading message numbers from NNTP

• [PATCH 02/13] Add alloc fail check in nntp_fetch_headers
  Check for empty message ranges

• [PATCH 03/13] sanitise cache paths
  Prevent mailboxes from writing outside of the header cache dir
  e.g. mailbox: "../../../../../tmp/file"

• [PATCH 04/13] quote imap strings more carefully
  Prevent `` expansion when adding subscribed imap folders

• [PATCH 05/13] Quote path in imap_subscribe
  Prevent `` expansion when (un)subscribing imap folders

• [PATCH 06/13] Selectively cache headers
  If an imap folder contains "../" then assume it's naughty and don't cache it

• [PATCH 07/13] Don't overflow stack buffer in msg_parse_fetch
  Buffer length wasn't honoured when parsing imap INTERNALDATE and RFC822.SIZE

• [PATCH 08/13] Handle NO response without message properly
  Off-by-one printing error message

• [PATCH 09/13] Ensure litlen isn't larger than our mailbox
  Buffer length wasn't honoured when parsing imap STATUS

• [PATCH 10/13] Check for int underflow in imap_quote_string
  A string ending in a character that needed quoting would overflow a buffer

• [PATCH 11/13] imap_quote_string make room for quotes
  A string ending in a character that needed quoting would overflow a buffer

• [PATCH 12/13] Ensure UID in fetch_uidl
  Getting and empty string when expecting a POP UID creates an NULL pointer

• [PATCH 13/13] Truncate pct-encoded strings
  Buffer length wasn't honoured when %-encoding strings

[Vaelatern]

If it's patched, say, Friday Morning EST, the voidlinux packages for all mutt variants can be updated at once, about 5 minutes.

[lbschenkel]

Unless any other changes were introduced that require modification on how the package is built, I should be able to update the MacPorts package in 30 minutes or less (once the release is ready). However, keep in mind that it may take a few hours for the updated port and the corresponding binaries to be visible to end users after I push the changes to the MacPorts repository.

[l2dy]

@lbschenkel There is a modification needed, see neomutt/neomutt@b945055. We need to reinplace from /usr/libexec/ now.

[lbschenkel]

All right, thanks for the heads up. I'll prepare a branch with the necessary tweaks to build the current master hash, then it should be just a matter of updating the hash when the release is ready.

[l2dy]

How is the progress? Are we waiting for Mutt?

[flatcap]

Sorry for the silence.
Kevin contacted me and he's going to make a release tomorrow (Mon 16th).
I'll do the same.

[flatcap]

NeoMutt 2018-07-16 is go!

[Vaelatern]

Updated in Void.

[jelly]

Updated in Arch Linux. Thanks a lot for the headsup! Is there a link to the assigned CVE's so we can make a proper security announcement?

[flatcap]

Is there a link to the assigned CVE

I haven't heard. I'm not in those circles.
I'll ask.

[lbschenkel]

Just noticed your message a few minutes ago. Updated in MacPorts: macports/macports-ports@597ed83

[l2dy]

Please mention that this is a security release in the release notes, and preferably also mention the related CVEs.

P.S. Translations were not merged?

[flatcap]

Please mention that this is a security release

Done. Don't know if there's a CVE, yet.
I guess they can't be publicised until they're sure the fix is live.

Translations were not merged?

Yes, they were merged.

This release's notes were very stripped down, to focus the bug-fixes.

Sorry for missing you and Marius from the credits -- FIXED.
There are so many manual steps in the release process and the translations come last.

[l2dy]

Done.

I was referring to [news on the website]https://github.com/neomutt/neomutt.github.io/blob/master/_posts/2018-07-16-release.md (and inherently to the GitHub release).

I guess they can't be publicised until they're sure the fix is live.

CVE disclosure doesn't require a fix. I'm aware of some CVEs disclosed on https://nmap.org/mailman/listinfo/fulldisclosure that never got a fix.

Yes, they were merged.

Right, I checked the translate branch and the release notes but forgot to check the master branch. Stupid me.

[flatcap]

News updated too.

[flatcap]

The following CVEs have been allocated:

• CVE-2018-14349 - NO Response Heap Overflow
• CVE-2018-14350 - INTERNALDATE Stack Overflow
• CVE-2018-14351 - STATUS Literal Length relative write
• CVE-2018-14352 - imap_quote_string off-by-one stack overflow
• CVE-2018-14353 - imap_quote_string int underflow
• CVE-2018-14354 - imap_subscribe Remote Code Execution
• CVE-2018-14355 - STATUS mailbox header cache directory traversal
• CVE-2018-14356 - POP empty UID NULL deref
• CVE-2018-14357 - LSUB Remote Code Execution
• CVE-2018-14358 - RFC822.SIZE Stack Overflow
• CVE-2018-14359 - base64 decode Stack Overflow
• CVE-2018-14360 - NNTP Group Stack Overflow
• CVE-2018-14361 - NNTP Write 1 where via GROUP response
• CVE-2018-14362 - POP Message Cache Directory Traversal
• CVE-2018-14363 - NNTP Header Cache Directory Traversal

[jelly]

Thanks!

[aradici]

Debian packages are up to date in unstable, they will appear in the archives tomorrow at the latest.

There is some work in progress to merge all the commits to stretch (mut-1.7.2, which was neomutt), I will update this thread once I have that done, it can take a couple of days. From there a DSA needs to be issued and the update will be pushed via security.debian.org