CVE-2018-14362

@@ -1,3 +1,233 @@
+2018-07-13 14:25:28 -0700  Kevin McCarthy  <kevin@8t8.us> (3d9028fe)
+
+        * Check outbuf length in mutt_from_base64()
+        
+        The obuf can be overflowed in auth_cram.c, and possibly auth_gss.c.
+        
+        Thanks to Jeriko One for the bug report.
+
+M	base64.c
+M	imap/auth_cram.c
+M	imap/auth_gss.c
+M	protos.h
+
+2018-07-13 13:05:22 -0700  Kevin McCarthy  <kevin@8t8.us> (6962328c)
+
+        * Check destlen and truncate in url_pct_encode().
+        
+        Thanks to Jeriko One for the patch, which this commit is based upon.
+
+M	url.c
+
+2018-07-13 12:35:50 -0700  Kevin McCarthy  <kevin@8t8.us> (e57a8602)
+
+        * Verify IMAP status mailbox literal count size.
+        
+        Ensure the length isn't bigger than the idata->buf.
+        
+        Thanks to Jeriko One fo the bug report and patch, which this commit is
+        based upon.
+
+M	imap/command.c
+
+2018-07-13 12:24:58 -0700  JerikoOne  <jeriko.one@gmx.us> (9347b5c0)
+
+        * Handle NO response without message properly
+
+M	imap/command.c
+
+2018-07-13 12:15:00 -0700  Kevin McCarthy  <kevin@8t8.us> (3287534d)
+
+        * Don't overflow tmp in msg_parse_fetch.
+        
+        Ensure INTERNALDATE and RFC822.SIZE field sizes fit temp buffer.
+        
+        Thanks to Jeriko One for the bug report and patch, which this patch is
+        based upon.
+
+M	imap/message.c
+
+2018-07-13 11:33:16 -0700  Richard Russon  <rich@flatcap.org> (31eef6c7)
+
+        * Selectively cache headers.
+        
+        Thanks to NeoMutt and Jeriko One for the patch, which was slightly
+        modified to apply to the Mutt code.
+
+M	imap/util.c
+
+2018-07-13 11:16:33 -0700  Kevin McCarthy  <kevin@8t8.us> (6aed28b4)
+
+        * Sanitize POP bcache paths.
+        
+        Protect against bcache directory path traversal for UID values.
+        
+        Thanks for Jeriko One for the bug report and patch, which this commit
+        is based upon.
+
+M	pop.c
+
+2018-07-13 10:47:11 -0700  JerikoOne  <jeriko.one@gmx.us> (e154cba1)
+
+        * Ensure UID in fetch_uidl.
+
+M	pop.c
+
+2018-07-12 21:41:17 -0700  Kevin McCarthy  <kevin@8t8.us> (4d0cd265)
+
+        * Fix buffer size check in cmd_parse_lsub.
+        
+        The size parameter to url_ciss_tostring() was off by one.
+
+M	imap/command.c
+
+2018-07-12 20:46:37 -0700  Kevin McCarthy  <kevin@8t8.us> (e0131852)
+
+        * Fix imap_quote_string() length check errors.
+        
+        The function wasn't properly checking for dlen<2 before quoting, and
+        wasn't properly pre-adjusting dlen to include the initial quote.
+        
+        Thanks to Jeriko One for reporting these issues.
+
+M	imap/util.c
+
+2018-07-07 19:32:57 -0700  Kevin McCarthy  <kevin@8t8.us> (4ff007ca)
+
+        * Mention $pgp_decode_command for $pgp_check_gpg_decrypt_status_fd
+        
+        It scans $pgp_decode_command for inline and application/pgp mime
+        types.
+
+M	init.h
+
+2018-07-07 19:03:44 -0700  Kevin McCarthy  <kevin@8t8.us> (18515281)
+
+        * Properly quote IMAP mailbox names when (un)subscribing.
+        
+        When handling automatic subscription (via $imap_check_subscribed), or
+        manual subscribe/unsubscribe commands, mutt generating a "mailboxes"
+        command but failed to properly escape backquotes.
+        
+        Thanks to Jeriko One for the detailed bug report and patch, which this
+        commit is based upon.
+
+M	imap/command.c
+M	imap/imap.c
+M	imap/imap_private.h
+M	imap/util.c
+
+2018-06-18 11:21:38 +0200  Philipp Gesang  <philipp.gesang@intra2net.com> (df4affd1)
+
+        * crypt-gpgme: prevent crash on bad S/MIME signature
+        
+        Inform the user about the fingerprint being unavailable instead
+        of crashing if the S/MIME signature is bad.
+
+M	crypt-gpgme.c
+
+2018-06-04 21:31:33 -0700  Kevin McCarthy  <kevin@8t8.us> (edb4ec84)
+
+        * Add GnuPG status fd checks for inline pgp.
+        
+        The difficulty is that "BEGIN PGP MESSAGE" could be a signed and
+        armored part, so we can't fail hard if it isn't encrypted.
+        
+        Change pgp_check_decryption_okay() to return more status codes, with
+        >=0 indicating an actual decryption; -2 and -1 indicating plaintext
+        found; and -3 indicating an actual DECRYPTION_FAILED status code seen.
+        
+        Fail hard on -3, but change the message for -2 and -1 to indicate the
+        message was not encrypted.
+
+M	pgp.c
+
+2018-06-04 15:40:57 -0700  Kevin McCarthy  <kevin@8t8.us> (8ec6d766)
+
+        * Add $pgp_check_gpg_decrypt_status_fd.
+        
+        If set (the default) mutt performs more thorough checking of the
+        $pgp_decrypt_command status output for GnuPG result codes.
+        
+        Ticket #39 revealed that GnuPG (currently) does not protect against
+        messages that have been manipulated to contain an empty encryption
+        packet followed by a plaintext packet.
+        
+        A huge thanks to Marcus Brinkmann for researching this issue, taking
+        the time to report it to us (and the GnuPG team), and taking even more
+        time to clarify exactly what needed to be checked for.   
+
+M	contrib/gpg.rc
+M	contrib/pgp2.rc
+M	contrib/pgp5.rc
+M	contrib/pgp6.rc
+M	init.h
+M	mutt.h
+M	pgp.c
+
+2018-06-03 14:52:37 -0700  Kevin McCarthy  <kevin@8t8.us> (cb2329ae)
+
+        * Revert showing real size for small files in mutt_pretty_size().
+        
+        I thought the change made in 0fa64ba9 was small enough not to matter,
+        but at least one long-time user took the time to track down the change
+        and request it be reverted.
+
+M	muttlib.c
+
+2018-06-03 14:40:31 -0700  Kevin McCarthy  <kevin@8t8.us> (33290d12)
+
+        * Switch build scripts to use `` instead of $()
+        
+        This is for older systems running Bourne shell as /bin/sh.
+
+M	mkchangelog.sh
+M	mkreldate.sh
+M	version.sh
+
+2013-01-06 19:24:18 +0100  Oswald Buddenhagen  <ossi@kde.org> (ec96f5f5)
+
+        * fix inappropriate use of FREE() in ssl init error path
+        
+        OpenSSL structures need to be freed with dedicated functions.
+
+M	mutt_ssl.c
+
+2018-05-19 10:57:10 -0700  Kevin McCarthy  <kevin@8t8.us> (d55950a8)
+
+        * automatic post-release commit for mutt-1.10.0
+
+M	ChangeLog
+M	VERSION
+M	po/bg.po
+M	po/ca.po
+M	po/cs.po
+M	po/da.po
+M	po/de.po
+M	po/el.po
+M	po/eo.po
+M	po/es.po
+M	po/et.po
+M	po/eu.po
+M	po/fr.po
+M	po/ga.po
+M	po/gl.po
+M	po/hu.po
+M	po/id.po
+M	po/it.po
+M	po/ja.po
+M	po/ko.po
+M	po/lt.po
+M	po/nl.po
+M	po/pl.po
+M	po/pt_BR.po
+M	po/ru.po
+M	po/sk.po
+M	po/sv.po
+M	po/tr.po
+M	po/uk.po
+M	po/zh_CN.po
+M	po/zh_TW.po
 2018-05-17 12:24:31 -0700  Ivan Vilata i Balaguer  <ivan@selidor.net> (70c9c89b)
 
         * Updated Catalan translation.

@@ -8,6 +8,13 @@ http://www.mutt.org/doc/manual/
 The keys used are:
   !: modified feature, -: deleted feature, +: new feature
 
+1.10.1 (2018-07-16):
+
+  ! Bug fix release.
+  + $pgp_check_gpg_decrypt_status_fd, when set (the default), checks
+    GnuPG status fd output more thoroughly for spooofed encrypted
+    messages.  Please see contrib/gpg.rc for suggested values.
+
 1.10.0 (2018-05-19):
 
   ! $reply_self is now respected for group-reply, even with $metoo unset.

@@ -1 +1 @@
-1.10.0
+1.10.1

@@ -14,7 +14,7 @@ use system cc cc-lib mutt-gettext mutt-iconv
 ###############################################################################
 # Names and versions
 define PACKAGE          "neomutt"
-define PACKAGE_VERSION  "20180622"
+define PACKAGE_VERSION  "20180716"
 define BUGS_ADDRESS     "neomutt-devel@neomutt.org"
 
 # Subdirectories that contain additional Makefile.autosetup files

@@ -1,3 +1,9 @@
+2018-07-16  Richard Russon  <rich@flatcap.org>
+* Features
+  - <check-stats> function
+* Bug Fixes
+  - Lots
+
 2018-06-22  Richard Russon  <rich@flatcap.org>
 * Features
   - Expand variables inside backticks

@@ -25,7 +25,7 @@ PROJECT_NAME           = "NeoMutt"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2018-06-22
+PROJECT_NUMBER         = 2018-07-16
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

@@ -77,7 +77,8 @@ enum ImapAuthRes imap_auth_plain(struct ImapData *idata, const char *method)
     }
     if (rc == IMAP_CMD_RESPOND)
     {
-      mutt_str_strcat(buf + sizeof(auth_plain_cmd), sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
+      mutt_str_strcat(buf + sizeof(auth_plain_cmd),
+                      sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
       mutt_socket_send(idata->conn, buf + sizeof(auth_plain_cmd));
     }
   }

@@ -1730,8 +1730,8 @@ int imap_subscribe(char *path, bool subscribe)
     mutt_buffer_init(&err);
     err.data = errstr;
     err.dsize = sizeof(errstr);
-	len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
-	imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
+    len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
+    imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
     if (mutt_parse_rc_line(mbox, &token, &err))
       mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr);
     FREE(&token.data);

@@ -61,6 +61,7 @@ Jakub Jindra <jakub.jindra@socialbakers.com>                    Jakub Jindra <j
 Jakub Wilk <jwilk@jwilk.net>                                    Jakub Wilk <jwilk@jwilk.net>                             # @jwilk
 Jelle van der Waa <jelle@vdwaa.nl>                              Jelle van der Waa <jelle@vdwaa.nl>                       # @jelly
 Jenya Sovetkin <e.sovetkin@gmail.com>                           Jenya Sovetkin <e.sovetkin@gmail.com>                    # @esovetkin
+JerikoOne <jeriko.one@gmx.us>                                   JerikoOne <jeriko.one@gmx.us>                            # @jeriko-one
 Joey Pabalinas <joeypabalinas@gmail.com>                        Joey Pabalinas <joeypabalinas@gmail.com>                 # @alyptik
 Johannes Weißl <jargon@molb.org>                               Johannes Weißl <jargon@molb.org>                        # @weisslj
 Jonathan Perkin <jperkin@netbsd.org>                            Jonathan Perkin <jperkin@netbsd.org>                     # @jperkin
@@ -80,6 +81,7 @@ Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <m
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <mrajner@lenovo>                           # @mrajner
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner lenovo <mrajner@gik.pw.edu.pl>             # @mrajner
 Marco Hinz <mh.codebro@gmail.com>                               Marco Hinz <mh.codebro@gmail.com>                        # @mhinz
+Marco Sirabella <marco@sirabella.org>                           Marco Sirabella <marco@sirabella.org>                    # @mjsir911
 Marius Gedminas <marius@gedmin.as>                              Marius Gedminas <marius@gedmin.as>                       # @mgedmin
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi ABAAKOUK <sileht@sileht.net>                       # @sileht
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi Abaakouk <sileht@sileht.net>                       # @sileht
@@ -156,7 +158,8 @@ Andreas Jobs <unknown>                                          Andreas Jobs <un
 Andrew Gaul <andrew@gaul.org>                                   Andrew Gaul <andrew@gaul.org>
 Andrew Nosenko <awn@bcs.zp.ua>                                  Andrew W. Nosenko <awn@bcs.zp.ua>
 Antoine Reilles <tonio@netbsd.org>                              Antoine Reilles <tonio@netbsd.org>
-Anton Lindqvist <anton.lindqvist@gmail.com>                     Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton@basename.se>
 Armin Wolfermann <aw@osn.de>                                    Armin Wolfermann <aw@osn.de>
 Aron Griffis <agriffis@n01se.net>                               Aron Griffis <agriffis@n01se.net>
 Athanasios Douitsis <aduitsis@gmail.com>                        Athanasios Douitsis <aduitsis@gmail.com>

@@ -601,7 +601,8 @@ int nntp_add_group(char *line, void *data)
     return 0;
 
   /* These sscanf limits must match the sizes of the group and desc arrays */
-  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
+  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last,
+             &first, &mod, desc) < 4)
   {
     mutt_debug(4, "Cannot parse server line: %s\n", line);
     return 0;

@@ -1289,7 +1289,7 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first,
   fc.restore = restore;
   fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char));
   if (fc.messages == NULL)
-	  return -1;
+    return -1;
 #ifdef USE_HCACHE
   fc.hc = hc;
 #endif

@@ -1885,13 +1885,13 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_SENDER:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1,
-                                        h->env->sender));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->sender));
     case MUTT_FROM:
       if (!h->env)
         return 0;
-      return (pat->not ^
-              match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, h->env->from));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->from));
     case MUTT_TO:
       if (!h->env)
         return 0;
@@ -1924,14 +1924,14 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_ADDRESS:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 4,
-                                        h->env->from, h->env->sender,
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        4, h->env->from, h->env->sender,
                                         h->env->to, h->env->cc));
     case MUTT_RECIPIENT:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 2,
-                                        h->env->to, h->env->cc));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        2, h->env->to, h->env->cc));
     case MUTT_LIST: /* known list, subscribed or not */
       if (!h->env)
         return 0;

@@ -2,7 +2,7 @@
 
 [![Stars](https://img.shields.io/github/stars/neomutt/neomutt.svg?style=social&label=Stars)](https://github.com/neomutt/neomutt "Give us a Star")
 [![Twitter](https://img.shields.io/twitter/follow/NeoMutt_Org.svg?style=social&label=Follow)](https://twitter.com/NeoMutt_Org "Follow us on Twitter")
-[![Contributors](https://img.shields.io/badge/Contributors-127-orange.svg)](#contributors "All of NeoMutt's Contributors")
+[![Contributors](https://img.shields.io/badge/Contributors-132-orange.svg)](#contributors "All of NeoMutt's Contributors")
 [![Release](https://img.shields.io/github/release/neomutt/neomutt.svg)](https://github.com/neomutt/neomutt/releases/latest "Latest Release Notes")
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/neomutt/neomutt/blob/master/COPYRIGHT.md "Copyright Statement")
 [![Code build](https://img.shields.io/travis/neomutt/neomutt.svg?label=code)](https://travis-ci.org/neomutt/neomutt "Latest Automatic Code Build")
@@ -137,6 +137,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Jasper Adriaanse](https://github.com/jasperla "jasperla"),
 [Jelle van der Waa](https://github.com/jelly "jelly"),
 [Jenya Sovetkin](https://github.com/esovetkin "esovetkin"),
+[JerikoOne](https://github.com/jeriko-one "jeriko-one"),
 [Joey Pabalinas](https://github.com/alyptik "alyptik"),
 [Johannes Frankenau](https://github.com/tsuflux "tsuflux"),
 [Johannes Weißl](https://github.com/weisslj "weisslj"),
@@ -156,6 +157,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Manos Pitsidianakis](https://github.com/epilys "epilys"),
 [Marcin Rajner](https://github.com/mrajner "mrajner"),
 [Marco Hinz](https://github.com/mhinz "mhinz"),
+[Marco Sirabella](https://github.com/mjsir911 "mjsir911"),
 [Marius Gedminas](https://github.com/mgedmin "mgedmin"),
 [Mateusz Piotrowski](https://github.com/0mp "0mp"),
 [Matteo Vescovi](https://github.com/mfvescovi "mfvescovi"),

@@ -1076,7 +1076,8 @@ struct Address *mutt_default_from(void)
 
   if (From)
     addr = mutt_addr_copy(From);
-  else {
+  else
+  {
     addr = mutt_addr_new();
     if (UseDomain)
     {

@@ -715,7 +715,18 @@ int nntp_active_save_cache(struct NntpServer *nserv)
  */
 static int nntp_hcache_namer(const char *path, char *dest, size_t destlen)
 {
-  return snprintf(dest, destlen, "%s.hcache", path);
+  int count = snprintf(dest, destlen, "%s.hcache", path);
+
+  /* Strip out any directories in the path */
+  char *first = strchr(dest, '/');
+  char *last = strrchr(dest, '/');
+  if (first && last && (last > first))
+  {
+    memmove(first, last, strlen(last) + 1);
+    count -= (last - first);
+  }
+
+  return count;
 }
 
 /**

@@ -63,6 +63,23 @@
 #define HC_FEXT "hcache"   /* extension for hcache as POP lacks paths */
 #endif
 
+/**
+ * cache_id - Make a message-cache-compatible id
+ * @param id POP message id
+ * @retval ptr Sanitised string
+ *
+ * The POP message id may contain '/' and other awkward characters.
+ *
+ * @note This function returns a pointer to a static buffer.
+ */
+static const char *cache_id(const char *id)
+{
+  static char clean[SHORT_STRING];
+  mutt_str_strfcpy(clean, id, sizeof(clean));
+  mutt_file_sanitize_filename(clean, true);
+  return clean;
+}
+
 /**
  * fetch_message - write line to file
  * @param line String to write
@@ -242,7 +259,7 @@ static int msg_cache_check(const char *id, struct BodyCache *bcache, void *data)
   /* message not found in context -> remove it from cache
    * return the result of bcache, so we stop upon its first error
    */
-  return mutt_bcache_del(bcache, id);
+  return mutt_bcache_del(bcache, cache_id(id));
 }
 
 #ifdef USE_HCACHE
@@ -407,7 +424,7 @@ static int pop_fetch_headers(struct Context *ctx)
        *        - if we don't have a body: new
        */
       const bool bcached =
-          (mutt_bcache_exists(pop_data->bcache, ctx->hdrs[i]->data) == 0);
+          (mutt_bcache_exists(pop_data->bcache, cache_id(ctx->hdrs[i]->data)) == 0);
       ctx->hdrs[i]->old = false;
       ctx->hdrs[i]->read = false;
       if (hcached)
@@ -597,7 +614,7 @@ static int pop_fetch_message(struct Context *ctx, struct Message *msg, int msgno
   unsigned short bcache = 1;
 
   /* see if we already have the message in body cache */
-  msg->fp = mutt_bcache_get(pop_data->bcache, h->data);
+  msg->fp = mutt_bcache_get(pop_data->bcache, cache_id(h->data));
   if (msg->fp)
     return 0;
 
@@ -644,7 +661,7 @@ static int pop_fetch_message(struct Context *ctx, struct Message *msg, int msgno
                        NetInc, h->content->length + h->content->offset - 1);
 
     /* see if we can put in body cache; use our cache as fallback */
-    msg->fp = mutt_bcache_put(pop_data->bcache, h->data);
+    msg->fp = mutt_bcache_put(pop_data->bcache, cache_id(h->data));
     if (!msg->fp)
     {
       /* no */
@@ -689,7 +706,7 @@ static int pop_fetch_message(struct Context *ctx, struct Message *msg, int msgno
    * portion of the headers, those required for the main display.
    */
   if (bcache)
-    mutt_bcache_commit(pop_data->bcache, h->data);
+    mutt_bcache_commit(pop_data->bcache, cache_id(h->data));
   else
   {
     cache->index = h->index;
@@ -783,7 +800,7 @@ static int pop_sync_mailbox(struct Context *ctx, int *index_hint)
         ret = pop_query(pop_data, buf, sizeof(buf));
         if (ret == 0)
         {
-          mutt_bcache_del(pop_data->bcache, ctx->hdrs[i]->data);
+          mutt_bcache_del(pop_data->bcache, cache_id(ctx->hdrs[i]->data));
 #ifdef USE_HCACHE
           mutt_hcache_delete(hc, ctx->hdrs[i]->data, strlen(ctx->hdrs[i]->data));
 #endif