Bugzilla – Bug 1101573
VUL-0: CVE-2018-14357: mutt,neomutt: They allow remote IMAP servers to execute arbitrary commands via backquote characters
Last modified: 2019-05-09 10:10:17 UTC
CVE-2018-14357 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14357 https://github.com/neomutt/neomutt/commit/e52393740334443ae0206cab2d7caef381646725
This is an autogenerated message for OBS integration: This bug (1101573) was mentioned in https://build.opensuse.org/request/show/623577 Factory / mutt
All supported codestreams seem to be affected by this: - SUSE:SLE-10-SP3:Update - SUSE:SLE-11:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update Submissions are still missing for: - SUSE:SLE-10-SP3:Update - SUSE:SLE-11:Update
Created attachment 777753 [details] quote-18515281.patch for SLES-11
Created attachment 777756 [details] quote-e0131852.patch for SLES-11
(In reply to Karol Babioch from comment #7) > Submissions are still missing for: > > - SUSE:SLE-10-SP3:Update There is no function cmd_parse_lsub() in imap/command.c nor there is the part in function imap_subscribe() in imap/imap.c which was affected in SLES-11 and up.
(In reply to Dr. Werner Fink from comment #15) > (In reply to Karol Babioch from comment #7) > > > Submissions are still missing for: > > > > - SUSE:SLE-10-SP3:Update > > There is no function cmd_parse_lsub() in imap/command.c nor there is the > part in function imap_subscribe() in imap/imap.c which was affected in > SLES-11 and up. The patch is still needed as basis for next patch modifying imap_quote_string()
openSUSE-SU-2018:2212-1: An update that solves 16 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589 CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363 Sources used: openSUSE Leap 15.0 (src): mutt-1.10.1-lp150.2.3.1
SUSE-SU-2018:2403-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1101567,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101588,1101589,936807 CVE References: CVE-2018-14349,CVE-2018-14350,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14362 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): mutt-1.5.17-42.43.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): mutt-1.5.17-42.43.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): mutt-1.5.17-42.43.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mutt-1.5.17-42.43.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): mutt-1.5.17-42.43.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-09-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64138
This is an autogenerated message for OBS integration: This bug (1101573) was mentioned in https://build.opensuse.org/request/show/663361 42.3 / mutt
openSUSE-SU-2019:0052-1: An update that solves 16 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,1120935,980830,982129,986534 CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363 Sources used: openSUSE Leap 42.3 (src): mutt-1.10.1-2.5.1
released
SUSE-SU-2019:1196-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534 CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363 Sources used: SUSE Linux Enterprise Server 12-SP3 (src): mutt-1.10.1-55.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): mutt-1.10.1-55.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.