Mageia 2018-0447: mutt security update
Summary
It was discovered that Mutt incorrectly handled certain requests. An
attacker could possibly use this to execute arbitrary code (CVE-2018-14350,
CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358,
CVE-2018-14353 ,CVE-2018-14357).
It was discovered that Mutt incorrectly handled certain inputs. An attacker
could possibly use this to access or expose sensitive information
(CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362,
CVE-2018-14349).
nntp_add_group in newsrc.c has a stack-based buffer overflow because of
incorrect sscanf usage (CVE-2018-14360).
nntp.c proceeds even if memory allocation fails for messages data
(CVE-2018-14361).
newsrc.c does not properlyrestrict '/' characters that may have unsafe
interaction with cache pathnames (CVE-2018-14363).
References
- https://bugs.mageia.org/show_bug.cgi?id=23345
- https://ubuntu.com/security/notices/USN-3719-1
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14349
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14350
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14351
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14352
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14353
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14354
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14355
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14356
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14357
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14358
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14359
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14360
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14361
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14362
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14363
Resolution
MGASA-2018-0447 - Updated mutt packages fix security vulnerability
SRPMS
- 6/core/mutt-1.10.1-1.1.mga6
