Bug 1957451 (CVE-2021-32055)

Summary: CVE-2021-32055 neomutt: Out of bounds read in IMAP parser
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athoscribeiro, dakingun, databases-maint, fjanus, hhorak, jmmahler, jpacner, mmuzila, panovotn, pkubat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mutt 2.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:15:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1957452, 1959896    
Bug Blocks: 1957453    

Description Pedro Sampaio 2021-05-05 19:10:05 UTC 
Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default.

References:

https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html
https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc
Comment 1 Pedro Sampaio 2021-05-05 19:10:35 UTC 
Created mutt tracking bugs for this issue:

Affects: fedora-all [bug 1957452]
Comment 3 Marco Benatto 2021-05-12 14:40:44 UTC 
Statement:

This flaw doesn't affect the Mutt versions shipped with Red Hat Enterprise Linux 6, 7 and 8 as it depends on QRESYNC feature included on newer versions of Mutt than the ones distributed by Red Hat.
Comment 4 Fabio Alessandro Locati 2022-02-13 20:56:51 UTC 
My understanding is that this can be closed. Is this right?
Comment 5 Pedro Sampaio 2022-02-21 13:09:25 UTC 
In reply to comment #4:
> My understanding is that this can be closed. Is this right?

This issue affects RhEL-9, so the bug will be closed after RHSA is released for it.
Comment 6 Product Security DevOps Team 2022-05-17 15:15:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32055