PublicDateAtUSN: 2018-07-17
Candidate: CVE-2018-14362
PublicDate: 2018-07-17 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14362
 https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e
 http://www.mutt.org/news.html
 https://neomutt.org/2018/07/16/release
 https://ubuntu.com/security/notices/USN-3719-1
 https://ubuntu.com/security/notices/USN-3719-2
 https://ubuntu.com/security/notices/USN-3719-3
Description:
 An issue was discovered in Mutt before 1.10.1 and NeoMutt before
 2018-07-16. pop.c does not forbid characters that may have unsafe
 interaction with message-cache pathnames, as demonstrated by a '/'
 character.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_neomutt:
upstream_neomutt: released (20180716+dfsg.1-1)
precise/esm_neomutt: DNE
trusty_neomutt: DNE
trusty/esm_neomutt: DNE
xenial_neomutt: DNE
artful_neomutt: DNE
bionic_neomutt: needed
cosmic_neomutt: ignored (reached end-of-life)
disco_neomutt: not-affected (20180716+dfsg.1-1)
eoan_neomutt: not-affected (20180716+dfsg.1-1.2)
focal_neomutt: not-affected (20180716+dfsg.1-1.2)
groovy_neomutt: not-affected (20180716+dfsg.1-1.2)
hirsute_neomutt: not-affected (20180716+dfsg.1-1.2)
impish_neomutt: not-affected (20180716+dfsg.1-1.2)
jammy_neomutt: not-affected (20180716+dfsg.1-1.2)
devel_neomutt: not-affected (20180716+dfsg.1-1.2)

Patches_mutt:
 other: https://gitlab.com/muttmua/mutt/commit/6aed28b40a0410ec47d40c8c7296d8d10bae7576
upstream_mutt: released (1.10.1)
precise/esm_mutt: released (1.5.21-5ubuntu2.3)
trusty_mutt: released (1.5.21-6.4ubuntu2.2)
trusty/esm_mutt: DNE (trusty was released [1.5.21-6.4ubuntu2.2])
xenial_mutt: released (1.5.24-1ubuntu0.1)
esm-infra/xenial_mutt: released (1.5.24-1ubuntu0.1)
artful_mutt: ignored (reached end-of-life)
bionic_mutt: released (1.9.4-3ubuntu0.1)
cosmic_mutt: released (1.10.1-1)
disco_mutt: released (1.10.1-1)
eoan_mutt: released (1.10.1-1)
focal_mutt: released (1.10.1-1)
groovy_mutt: released (1.10.1-1)
hirsute_mutt: released (1.10.1-1)
impish_mutt: released (1.10.1-1)
jammy_mutt: released (1.10.1-1)
devel_mutt: released (1.10.1-1)