packages/mutt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!38 update mutt to 2.1.3

Browse Source 
Merge pull request !38 from eaglegai/master
This commit is contained in:
openeuler-ci-bot 2021-12-28 12:34:34 +00:00 committed by Gitee
commit 303cd9d1ad
16 changed files with 62 additions and 484 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
CVE-2020-14154-1.patch
View File

@ -1,188 +0,0 @@
From bb0e6277a45a5d4c3a30d3b968eeb31d78124e95 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 5 Jun 2020 15:21:03 -0700
Subject: [PATCH] Fix GnuTLS tls_verify_peers() checking.
* Change the function to pass the certstatus parameter by reference,
and indicate success/failure of the function via the return value. It
was previously returning the certstatus, but was also returning 0 or
the *unset* certstatus on error too. Since a 0 certstatus means
"success", this meant a gnutls_certificate_verify_peers2() failure
would be regarded as a valid cert.
* The gnutls_certificate_type_get() inside tls_verify_peers() checks
the *client* certificate type. Since it was only called if gnutls_certificate_verify_peers2() failed, I assume was either a
mistake, or perhaps an attempt to give a special error message if the
client cert was OpenPGP. In either case, the error message was not
very informative, so just remove the call and special error message.
* Fix GNUTLS_E_NO_CERTIFICATE_FOUND check to be against verify_ret
instead of certstat.
* Fix gnutls_strerror() call to use verify_ret instead of certstat.
* gnutls_certificate_verify_peers2() already calls and checks gnutls_auth_get_type(), so remove call at the beginning of tls_check_certificate().
* gnutls_certificate_verify_peers2() also verifies the certificate
type for the *server* is GNUTLS_CRT_X509. Add a comment about that.
---
mutt_ssl_gnutls.c | 100 +++++++++++++++++++++++++++-------------------
1 file changed, 60 insertions(+), 40 deletions(-)
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 8fc6421..19d47b3 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -684,6 +684,9 @@ static int tls_check_stored_hostname (const gnutls_datum_t *cert,
return 0;
}
+/* Returns 0 on success
+ * -1 on failure
+ */
static int tls_check_preauth (const gnutls_datum_t *certdata,
gnutls_certificate_status_t certstat,
const char *hostname, int chainidx, int* certerr,
@@ -802,8 +805,8 @@ static int tls_check_preauth (const gnutls_datum_t *certdata,
return -1;
}
-/*
- * Returns 0 on failure, nonzero on success.
+/* Returns 1 on success.
+ * 0 on failure.
*/
static int tls_check_one_certificate (const gnutls_datum_t *certdata,
gnutls_certificate_status_t certstat,
@@ -1086,44 +1089,57 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
mutt_menuDestroy (&menu);
gnutls_x509_crt_deinit (cert);
- return (done == 2);
+ return (done == 2) ? 1 : 0;
}
-/* sanity-checking wrapper for gnutls_certificate_verify_peers */
-static gnutls_certificate_status_t tls_verify_peers (gnutls_session_t tlsstate)
+/* sanity-checking wrapper for gnutls_certificate_verify_peers.
+ *
+ * certstat is technically a bitwise-or of gnutls_certificate_status_t
+ * values.
+ *
+ * Returns:
+ * - 0 if certstat was set. note: this does not mean success.
+ * - nonzero on failure.
+ */
+static int tls_verify_peers (gnutls_session_t tlsstate,
+ gnutls_certificate_status_t *certstat)
{
int verify_ret;
- unsigned int status;
- verify_ret = gnutls_certificate_verify_peers2 (tlsstate, &status);
+ /* gnutls_certificate_verify_peers2() chains to
+ * gnutls_x509_trust_list_verify_crt2(). That function's documentation says:
+ *
+ * When a certificate chain of cert_list_size with more than one
+ * certificates is provided, the verification status will apply to
+ * the first certificate in the chain that failed
+ * verification. The verification process starts from the end of
+ * the chain (from CA to end certificate). The first certificate
+ * in the chain must be the end-certificate while the rest of the
+ * members may be sorted or not.
+ *
+ * This is why tls_check_certificate() loops from CA to host in that order,
+ * calling the menu, and recalling tls_verify_peers() for each approved
+ * cert in the chain.
+ */
+ verify_ret = gnutls_certificate_verify_peers2 (tlsstate, certstat);
+
+ /* certstat was set */
if (!verify_ret)
- return status;
+ return 0;
- if (status == GNUTLS_E_NO_CERTIFICATE_FOUND)
- {
+ if (verify_ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
mutt_error (_("Unable to get certificate from peer"));
- mutt_sleep (2);
- return 0;
- }
- if (verify_ret < 0)
- {
+ else
mutt_error (_("Certificate verification error (%s)"),
- gnutls_strerror (status));
- mutt_sleep (2);
- return 0;
- }
-
- /* We only support X.509 certificates (not OpenPGP) at the moment */
- if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509)
- {
- mutt_error (_("Certificate is not X.509"));
- mutt_sleep (2);
- return 0;
- }
+ gnutls_strerror (verify_ret));
- return status;
+ mutt_sleep (2);
+ return verify_ret;
}
+/* Returns 1 on success.
+ * 0 on failure.
+ */
static int tls_check_certificate (CONNECTION* conn)
{
tlssockdata *data = conn->sockdata;
@@ -1133,15 +1149,16 @@ static int tls_check_certificate (CONNECTION* conn)
gnutls_certificate_status_t certstat;
int certerr, i, preauthrc, savedcert, rc = 0;
int rcpeer = -1; /* the result of tls_check_preauth() on the peer's EE cert */
+ int rcsettrust;
- if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
- {
- mutt_error (_("Unable to get certificate from peer"));
- mutt_sleep (2);
+ /* tls_verify_peers() calls gnutls_certificate_verify_peers2(),
+ * which verifies the auth_type is GNUTLS_CRD_CERTIFICATE
+ * and that get_certificate_type() for the server is GNUTLS_CRT_X509.
+ * If it returns 0, certstat will be set with failure codes for the first
+ * cert in the chain (from CA to host) with an error.
+ */
+ if (tls_verify_peers (state, &certstat) != 0)
return 0;
- }
-
- certstat = tls_verify_peers (state);
cert_list = gnutls_certificate_get_peers (state, &cert_list_size);
if (!cert_list)
@@ -1184,12 +1201,15 @@ static int tls_check_certificate (CONNECTION* conn)
/* add signers to trust set, then reverify */
if (i && rc) {
- rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i],
- GNUTLS_X509_FMT_DER);
- if (rc != 1)
- dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
+ rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
+ &cert_list[i],
+ GNUTLS_X509_FMT_DER);
+ if (rcsettrust != 1)
+ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rcsettrust));
+
+ if (tls_verify_peers (state, &certstat) != 0)
+ return 0;
- certstat = tls_verify_peers (state);
/* If the cert chain now verifies, and the peer's cert was otherwise
* valid (rcpeer==0), we are done.
*/
--
2.27.0

38
CVE-2020-14154-2.patch
View File

@ -1,38 +0,0 @@
From 5fccf603ebcf352ba783136d6b2d2600d811fb3b Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 5 Jun 2020 18:16:31 -0700
Subject: [PATCH] Abort GnuTLS certificate check if a cert in the chain is
rejected.
GnuTLS is not checking dates because we disabled that in
tls_negotiate().
So if we don't do this, rejecting an expired intermediate cert will
have no effect. Certstat won't contain an expiration error, and
tls_check_preauth() will only look at each subsequent cert in the
chain's dates.
---
mutt_ssl_gnutls.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 19d47b3..6f98f50 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -1199,8 +1199,12 @@ static int tls_check_certificate (CONNECTION* conn)
rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
i, cert_list_size);
+ /* Stop checking if the menu cert is aborted or rejected. */
+ if (!rc)
+ break;
+
/* add signers to trust set, then reverify */
- if (i && rc) {
+ if (i) {
rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
&cert_list[i],
GNUTLS_X509_FMT_DER);
--
2.27.0

67
CVE-2020-14154-3.patch
View File

@ -1,67 +0,0 @@
From f64ec1deefb67d471a642004e102cd1c501a1db3 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 6 Jun 2020 20:03:56 -0700
Subject: [PATCH] Fix GnuTLS interactive prompt short-circuiting.
tls_verify_peers() doesn't verify expiration dates. So aborting early
because of a 0 certstat and the leaf passing tls_check_preauth() does
not mean subsequent intermediate certs are okay: they could beexpired.
In the saved-cert preauth loop, instead of just noting the
tls_check_preauth() rc for the leaf, note the highest cert that passes
preauth.
Then, in the interactive loop (which goes in the opposite order, from
CA to leaf) check that value instead. Since we are trusting certs one
by one, anything that passed in the previous loop will certainly pass
the preauth check at the beginning of tls_check_one_certificate().
---
mutt_ssl_gnutls.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 6f98f50..09d628a 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -1148,7 +1148,7 @@ static int tls_check_certificate (CONNECTION* conn)
unsigned int cert_list_size = 0;
gnutls_certificate_status_t certstat;
int certerr, i, preauthrc, savedcert, rc = 0;
- int rcpeer = -1; /* the result of tls_check_preauth() on the peer's EE cert */
+ int max_preauth_pass = -1;
int rcsettrust;
/* tls_verify_peers() calls gnutls_certificate_verify_peers2(),
@@ -1176,13 +1176,8 @@ static int tls_check_certificate (CONNECTION* conn)
rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
&certerr, &savedcert);
preauthrc += rc;
- if (i == 0)
- {
- /* This is the peer's end-entity X.509 certificate. Stash the result
- * to check later in this function.
- */
- rcpeer = rc;
- }
+ if (!preauthrc)
+ max_preauth_pass = i;
if (savedcert)
{
@@ -1214,10 +1209,10 @@ static int tls_check_certificate (CONNECTION* conn)
if (tls_verify_peers (state, &certstat) != 0)
return 0;
- /* If the cert chain now verifies, and the peer's cert was otherwise
- * valid (rcpeer==0), we are done.
+ /* If the cert chain now verifies, and all lower certs already
+ * passed preauth, we are done.
*/
- if (!certstat && !rcpeer)
+ if (!certstat && (max_preauth_pass >= i - 1))
return 1;
}
}
--
2.27.0

27
CVE-2020-28896.patch
View File

@ -1,27 +0,0 @@
From 7a0bd4a7535eba5a6c7893803091a7d6e07cc15d Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Thu, 7 Jan 2021 10:43:55 +0800
Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
---
imap/imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/imap/imap.c b/imap/imap.c
index 0c3b79d..5256035 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -508,9 +508,9 @@ int imap_open_connection (IMAP_DATA* idata)
#if defined(USE_SSL)
err_close_conn:
- imap_close_connection (idata);
#endif
bail:
+ imap_close_connection (idata);
FREE (&idata->capstr);
return -1;
}
--
2.23.0

39
CVE-2021-3181.patch
View File

@ -1,39 +0,0 @@
From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 17 Jan 2021 10:40:37 -0800
Subject: [PATCH] Fix memory leak parsing group addresses without a display
name.
When there was a group address terminator with no previous
addresses (including the group display-name), an address would be
allocated but not attached to the address list.
Change this to only allocate when last exists.
It would be more correct to not allocate at all unless we are inside a
group list, but I will address that in a separate commit to master.
---
rfc822.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/rfc822.c b/rfc822.c
index 7ff4eaa3..ced619f2 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
#endif
/* add group terminator */
- cur = rfc822_new_address ();
if (last)
{
- last->next = cur;
- last = cur;
+ last->next = rfc822_new_address ();
+ last = last->next;
}
phraselen = 0;
--
GitLab

53
backport-CVE-2020-14093-1.patch
View File

@ -1,53 +0,0 @@
From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 14 Jun 2020 11:30:00 -0700
Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is similar to CVE-2014-2567 and CVE-2020-12398. STARTTLS is not
allowed in the Authenticated state, so previously Mutt would
implicitly mark the connection as authenticated and skip any
encryption checking/enabling.
No credentials are exposed, but it does allow messages to be sent to
an attacker, via postpone or fcc'ing for instance.
Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
connection if it is unencrypted.
Thanks very much to Damian Poddebniak and Fabian Ising from the
Münster University of Applied Sciences for reporting this issue, and
their help in testing the fix.
---
imap/imap.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/imap/imap.c b/imap/imap.c
index 63362176..3ca10df4 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -493,6 +493,22 @@ int imap_open_connection (IMAP_DATA* idata)
}
else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0)
{
+#if defined(USE_SSL)
+ /* An unencrypted PREAUTH response is most likely a MITM attack.
+ * Require a confirmation. */
+ if (!idata->conn->ssf)
+ {
+ if (option(OPTSSLFORCETLS) ||
+ (query_quadoption (OPT_SSLSTARTTLS,
+ _("Abort unencrypted PREAUTH connection?")) != MUTT_NO))
+ {
+ mutt_error _("Encrypted connection unavailable");
+ mutt_sleep (1);
+ goto err_close_conn;
+ }
+ }
+#endif
+
idata->state = IMAP_AUTHENTICATED;
if (imap_check_capabilities (idata) != 0)
goto bail;

28
backport-CVE-2020-14093-2.patch
View File

@ -1,28 +0,0 @@
From bfb4ba6e6e742d3ca1a23697228fdddc957819a6 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 20 Jun 2020 06:35:35 -0700
Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
$tunnel is used to create an external encrypted connection. The default of $ssl_starttls is yes, meaning those kinds of connections will be broken by the CVE-2020-14093 fix.
---
imap/imap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/imap/imap.c b/imap/imap.c
index 17d1411..a41ed46 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -495,8 +495,8 @@ int imap_open_connection (IMAP_DATA* idata)
{
#if defined(USE_SSL)
/* An unencrypted PREAUTH response is most likely a MITM attack.
- * Require a confirmation. */
- if (!idata->conn->ssf)
+ * Require a confirmation unless using $tunnel. */
+ if (!idata->conn->ssf && !Tunnel)
{
if (option(OPTSSLFORCETLS) ||
(query_quadoption (OPT_SSLSTARTTLS,
--
2.23.0

7
mutt-1.10.0-muttrc.patch
View File

@ -1,7 +1,7 @@
diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head
--- mutt-1.8.0.orig/doc/Muttrc.head 2017-02-25 15:28:22.120997474 +0000 --- mutt-1.8.0.orig/doc/Muttrc.head 2017-02-25 15:28:22.120997474 +0000
+++ mutt-1.8.0/doc/Muttrc.head 2017-02-25 15:30:10.643079681 +0000 +++ mutt-1.8.0/doc/Muttrc.head 2017-02-25 15:30:10.643079681 +0000
@@ -24,12 +24,16 @@ @@ -24,13 +24,17 @@
# Show documentation when pressing F1 # Show documentation when pressing F1
macro generic,pager <F1> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation" macro generic,pager <F1> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
@ -9,8 +9,9 @@ diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head
+macro generic,pager <F2> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation" +macro generic,pager <F2> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
# show the incoming mailboxes list (just like "mutt -y") and back when pressing "y" # show the incoming mailboxes list (just like "mutt -y") and back when pressing "y"
macro index y "<change-folder>?<toggle-mailboxes>" "show incoming mailboxes list" # note: these macros have been subsumed by the <browse-mailboxes> function.
macro pager y "<exit><change-folder>?<toggle-mailboxes>" "show incoming mailboxes list" # macro index y "<change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
# macro pager y "<exit><change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
bind browser y exit bind browser y exit
+bind editor <delete> delete-char +bind editor <delete> delete-char

BIN
mutt-1.10.1.tar.gz
View File

Binary file not shown.

13
mutt-1.12.1-optusegpgagent.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/init.h b/init.h
index acc7d8b..14d417c 100644
--- a/init.h
+++ b/init.h
@@ -2444,7 +2444,7 @@ struct option_t MuttVars[] = {
** subprocess failed.
** (PGP only)
*/
- { "pgp_check_gpg_decrypt_status_fd", DT_BOOL, R_NONE, {.l=OPTPGPCHECKGPGDECRYPTSTATUSFD}, {.l=1} },
+ { "pgp_check_gpg_decrypt_status_fd", DT_BOOL, R_NONE, {.l=OPTPGPCHECKGPGDECRYPTSTATUSFD}, {.l=0} },
/*
** .pp
** If \fIset\fP, mutt will check the status file descriptor output

4
mutt-1.5.23-system_certs.patch
View File

@ -5,8 +5,8 @@ diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95-new/init.h
*/ */
#if defined(USE_SSL) #if defined(USE_SSL)
#ifdef USE_SSL_GNUTLS #ifdef USE_SSL_GNUTLS
- { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, 0 }, - { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p=0} },
+ { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, "/etc/ssl/certs/ca-bundle.crt" }, + { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p="/etc/ssl/certs/ca-bundle.crt"} },
/* /*
** .pp ** .pp
** This variable specifies a file containing trusted CA certificates. ** This variable specifies a file containing trusted CA certificates.

15
mutt-1.8.0-cabundle.patch
View File

@ -1,15 +1,15 @@
diff -ur mutt-1.8.0.orig/contrib/Makefile.am mutt-1.8.0/contrib/Makefile.am diff -ur mutt-1.8.0.orig/contrib/Makefile.am mutt-1.8.0/contrib/Makefile.am
--- mutt-1.8.0.orig/contrib/Makefile.am 2017-02-25 15:28:22.124997366 +0000 --- mutt-1.8.0.orig/contrib/Makefile.am 2017-02-25 15:28:22.124997366 +0000
+++ mutt-1.8.0/contrib/Makefile.am 2017-02-25 15:48:10.834036861 +0000 +++ mutt-1.8.0/contrib/Makefile.am 2017-02-25 15:48:10.834036861 +0000
@@ -5,7 +5,7 @@ @@ -6,7 +6,7 @@
SAMPLES = Mush.rc Pine.rc gpg.rc pgp2.rc pgp5.rc pgp6.rc Tin.rc \
sample.mailcap sample.muttrc sample.muttrc-sidebar sample.muttrc-tlr \ sample.mailcap sample.muttrc sample.muttrc-sidebar sample.muttrc-tlr \
sample.muttrc-compress sample.vimrc-sidebar colors.default colors.linux smime.rc \ sample.muttrc-compress sample.muttrc-starter \
- ca-bundle.crt smime_keys_test.pl mutt_xtitle sample.vimrc-sidebar colors.default colors.linux smime.rc \
+ smime_keys_test.pl mutt_xtitle - ca-bundle.crt smime_keys_test.pl mutt_xtitle markdown2html \
+ smime_keys_test.pl mutt_xtitle markdown2html \
bgedit-detectgui.sh bgedit-screen-tmux.sh \
mutt_oauth2.py mutt_oauth2.py.README
EXTRA_DIST = language.txt language50.txt \
patch.slang-1.2.2.keypad.1 \
diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt
--- mutt-1.8.0.orig/doc/smime-notes.txt 2017-02-25 15:28:22.119997501 +0000 --- mutt-1.8.0.orig/doc/smime-notes.txt 2017-02-25 15:28:22.119997501 +0000
+++ mutt-1.8.0/doc/smime-notes.txt 2017-02-25 16:06:38.986242390 +0000 +++ mutt-1.8.0/doc/smime-notes.txt 2017-02-25 16:06:38.986242390 +0000
@ -26,3 +26,4 @@ diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt
signed by one of them. You can use "smime_keys add_root" to do so, or signed by one of them. You can use "smime_keys add_root" to do so, or
just copy ca-bundle.crt into the place you point mutt's smime_ca_location just copy ca-bundle.crt into the place you point mutt's smime_ca_location
variable to. variable to.

16
mutt-1.9.0-ssl_ciphers.patch
View File

@ -5,28 +5,28 @@ diff -ur mutt-1.9.0.orig/init.h mutt-1.9.0/init.h
*/ */
# endif /* defined HAVE_SSL_PARTIAL_CHAIN */ # endif /* defined HAVE_SSL_PARTIAL_CHAIN */
# endif /* defined USE_SSL_OPENSSL */ # endif /* defined USE_SSL_OPENSSL */
- { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 }, - { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p=0} },
+ { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL "@SYSTEM" }, + { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p="@SYSTEM"} },
/* /*
** .pp ** .pp
** Contains a colon-seperated list of ciphers to use when using SSL. ** Contains a colon-separated list of ciphers to use when using SSL.
diff -ur mutt-1.9.0.orig/mutt_ssl_gnutls.c mutt-1.9.0/mutt_ssl_gnutls.c diff -ur mutt-1.9.0.orig/mutt_ssl_gnutls.c mutt-1.9.0/mutt_ssl_gnutls.c
--- mutt-1.9.0.orig/mutt_ssl_gnutls.c 2017-09-04 16:48:21.403528134 +0200 --- mutt-1.9.0.orig/mutt_ssl_gnutls.c 2017-09-04 16:48:21.403528134 +0200
+++ mutt-1.9.0/mutt_ssl_gnutls.c 2017-09-04 16:51:16.081679141 +0200 +++ mutt-1.9.0/mutt_ssl_gnutls.c 2017-09-04 16:51:16.081679141 +0200
@@ -286,6 +286,8 @@ @@ -286,6 +286,8 @@
else else
safe_strcat (priority, priority_size, "NORMAL"); mutt_buffer_strcpy (priority, "NORMAL");
+if (SslCiphers && strcmp(SslCiphers, "@SYSTEM")) +if (SslCiphers && strcmp(SslCiphers, "@SYSTEM"))
+{ +{
if (! option(OPTTLSV1_2)) if (!option (OPTTLSV1_3))
{ {
nproto--; nproto--;
@@ -313,6 +315,7 @@ @@ -313,6 +315,7 @@
FREE (&priority); mutt_error (_("All available protocols for TLS/SSL connection disabled"));
return -1; goto cleanup;
} }
+} +}
if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0) if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0)
{ {

6
mutt-1.9.4-lynx_no_backscapes.patch
View File

@ -5,8 +5,8 @@ diff -up mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes mutt-1.9.1/doc/Makefile.a
check: check:
manual.txt: manual.html manual.txt: manual.html
- -LC_ALL=C lynx -dump -nolist -with_backspaces -display_charset=us-ascii manual.html > $@ || \ - -LC_ALL=C lynx -localhost -dump -nolist -nonumbers -with_backspaces -display_charset=us-ascii manual.html > $@ || \
+ -LC_ALL=C lynx -dump -nolist -display_charset=us-ascii manual.html > $@ || \ + -LC_ALL=C lynx -localhost -dump -nolist -display_charset=us-ascii manual.html > $@ || \
LC_ALL=C w3m -dump manual.html > $@ || \ LC_ALL=C w3m -T text/html -I utf-8 -O utf-8 -dump < manual.html > $@ || \
LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@ LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@

BIN
mutt-2.1.3.tar.gz Normal file
View File

Binary file not shown.

45
mutt.spec
View File

@ -1,6 +1,6 @@
Name: mutt Name: mutt
Version: 1.10.1 Version: 2.1.3
Release: 7 Release: 1
Epoch: 5 Epoch: 5
Summary: Text-based mail client Summary: Text-based mail client
License: GPLv2+ and Public Domain License: GPLv2+ and Public Domain
@ -8,26 +8,20 @@ URL: http://www.mutt.org
Source: ftp://ftp.mutt.org/pub/%{name}/%{name}-%{version}.tar.gz Source: ftp://ftp.mutt.org/pub/%{name}/%{name}-%{version}.tar.gz
Source1: mutt_ldap_query Source1: mutt_ldap_query
Patch10: mutt-1.9.4-lynx_no_backscapes.patch Patch1: mutt-1.5.23-system_certs.patch
Patch12: mutt-1.9.5-nodotlock.patch Patch2: mutt-1.7.0-syncdebug.patch
Patch1: mutt-1.10.0-muttrc.patch Patch3: mutt-1.8.0-cabundle.patch
Patch2: mutt-1.8.0-cabundle.patch Patch4: mutt-1.9.0-ssl_ciphers.patch
Patch3: mutt-1.7.0-syncdebug.patch Patch5: mutt-1.9.4-lynx_no_backscapes.patch
Patch8: mutt-1.5.23-system_certs.patch Patch6: mutt-1.9.5-nodotlock.patch
Patch9: mutt-1.9.0-ssl_ciphers.patch Patch7: mutt-1.10.0-muttrc.patch
Patch13: CVE-2020-28896.patch Patch8: mutt-1.12.1-optusegpgagent.patch
Patch14: CVE-2021-3181.patch
Patch15: backport-CVE-2020-14093-1.patch
Patch16: backport-CVE-2020-14093-2.patch
Patch17: CVE-2020-14154-1.patch
Patch18: CVE-2020-14154-2.patch
Patch19: CVE-2020-14154-3.patch
BuildRequires: gcc ncurses-devel gettext automake /usr/bin/xsltproc BuildRequires: gcc ncurses-devel gettext automake /usr/bin/xsltproc
BuildRequires: lynx docbook-style-xsl perl-interpreter perl-generators BuildRequires: lynx docbook-style-xsl perl-interpreter perl-generators
BuildRequires: tokyocabinet-devel gnutls-devel cyrus-sasl-devel BuildRequires: gdbm-devel gnutls-devel cyrus-sasl-devel
BuildRequires: krb5-devel libidn2-devel gpgme-devel BuildRequires: krb5-devel libidn2-devel gpgme-devel
Requires: mailcap urlview Requires: mailcap
%description %description
Mutt is a small but very powerful text-based mail client for Unix operating systems. Mutt is a small but very powerful text-based mail client for Unix operating systems.
@ -59,7 +53,7 @@ rm -f mutt_ssl.c
--enable-imap \ --enable-imap \
--enable-smtp \ --enable-smtp \
--enable-hcache \ --enable-hcache \
--without-gdbm \ --without-tokyocabinet \
--without-qdbm \ --without-qdbm \
--with-gnutls \ --with-gnutls \
--with-sasl \ --with-sasl \
@ -90,6 +84,8 @@ EOF
echo "# Local configuration for Mutt." > \ echo "# Local configuration for Mutt." > \
%{buildroot}%{_sysconfdir}/Muttrc.local %{buildroot}%{_sysconfdir}/Muttrc.local
rm %{buildroot}%{_infodir}/dir
ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
%find_lang %{name} %find_lang %{name}
@ -103,7 +99,7 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
%config(noreplace) %{_sysconfdir}/Muttrc %config(noreplace) %{_sysconfdir}/Muttrc
%config(noreplace) %{_sysconfdir}/Muttrc.local %config(noreplace) %{_sysconfdir}/Muttrc.local
%{_bindir}/mutt %{_bindir}/mutt
%{_bindir}/pgpring %{_bindir}/mutt_pgpring
%{_bindir}/pgpewrap %{_bindir}/pgpewrap
%{_bindir}/smime_keys %{_bindir}/smime_keys
%exclude %{_sysconfdir}/*.dist %exclude %{_sysconfdir}/*.dist
@ -121,11 +117,18 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
%files help %files help
%{_mandir}/man1/mutt.* %{_mandir}/man1/mutt.*
%{_mandir}/man1/smime_keys.* %{_mandir}/man1/smime_keys.*
%{_mandir}/man1/pgpring.* %{_mandir}/man1/mutt_pgpring.*
%{_mandir}/man1/pgpewrap.* %{_mandir}/man1/pgpewrap.*
%{_mandir}/man5/muttrc.* %{_mandir}/man5/muttrc.*
%{_infodir}/mutt.info.*
%changelog %changelog
* Tue Dec 28 2021 gaihuiying1<gaihuiying@huawei.com> - 2.1.3-1
- Type:requirement
- Id:NA
- SUG:NA
- DESC:update mutt to 2.1.3
- Fri Oct 15 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-7 - Fri Oct 15 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-7
- fix CVE-2020-14154 - fix CVE-2020-14154