diff --git a/CVE-2020-14154-1.patch b/CVE-2020-14154-1.patch deleted file mode 100644 index 1b818a1929d3e44da78c6d44a214db32b5150972..0000000000000000000000000000000000000000 --- a/CVE-2020-14154-1.patch +++ /dev/null @@ -1,188 +0,0 @@ -From bb0e6277a45a5d4c3a30d3b968eeb31d78124e95 Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Fri, 5 Jun 2020 15:21:03 -0700 -Subject: [PATCH] Fix GnuTLS tls_verify_peers() checking. - -* Change the function to pass the certstatus parameter by reference, -and indicate success/failure of the function via the return value. It -was previously returning the certstatus, but was also returning 0 or -the *unset* certstatus on error too. Since a 0 certstatus means -"success", this meant a gnutls_certificate_verify_peers2() failure -would be regarded as a valid cert. - -* The gnutls_certificate_type_get() inside tls_verify_peers() checks -the *client* certificate type. Since it was only called if gnutls_certificate_verify_peers2() failed, I assume was either a -mistake, or perhaps an attempt to give a special error message if the -client cert was OpenPGP. In either case, the error message was not -very informative, so just remove the call and special error message. - -* Fix GNUTLS_E_NO_CERTIFICATE_FOUND check to be against verify_ret -instead of certstat. - -* Fix gnutls_strerror() call to use verify_ret instead of certstat. - -* gnutls_certificate_verify_peers2() already calls and checks gnutls_auth_get_type(), so remove call at the beginning of tls_check_certificate(). - -* gnutls_certificate_verify_peers2() also verifies the certificate -type for the *server* is GNUTLS_CRT_X509. Add a comment about that. ---- - mutt_ssl_gnutls.c | 100 +++++++++++++++++++++++++++------------------- - 1 file changed, 60 insertions(+), 40 deletions(-) - -diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c -index 8fc6421..19d47b3 100644 ---- a/mutt_ssl_gnutls.c -+++ b/mutt_ssl_gnutls.c -@@ -684,6 +684,9 @@ static int tls_check_stored_hostname (const gnutls_datum_t *cert, - return 0; - } - -+/* Returns 0 on success -+ * -1 on failure -+ */ - static int tls_check_preauth (const gnutls_datum_t *certdata, - gnutls_certificate_status_t certstat, - const char *hostname, int chainidx, int* certerr, -@@ -802,8 +805,8 @@ static int tls_check_preauth (const gnutls_datum_t *certdata, - return -1; - } - --/* -- * Returns 0 on failure, nonzero on success. -+/* Returns 1 on success. -+ * 0 on failure. - */ - static int tls_check_one_certificate (const gnutls_datum_t *certdata, - gnutls_certificate_status_t certstat, -@@ -1086,44 +1089,57 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, - mutt_menuDestroy (&menu); - gnutls_x509_crt_deinit (cert); - -- return (done == 2); -+ return (done == 2) ? 1 : 0; - } - --/* sanity-checking wrapper for gnutls_certificate_verify_peers */ --static gnutls_certificate_status_t tls_verify_peers (gnutls_session_t tlsstate) -+/* sanity-checking wrapper for gnutls_certificate_verify_peers. -+ * -+ * certstat is technically a bitwise-or of gnutls_certificate_status_t -+ * values. -+ * -+ * Returns: -+ * - 0 if certstat was set. note: this does not mean success. -+ * - nonzero on failure. -+ */ -+static int tls_verify_peers (gnutls_session_t tlsstate, -+ gnutls_certificate_status_t *certstat) - { - int verify_ret; -- unsigned int status; - -- verify_ret = gnutls_certificate_verify_peers2 (tlsstate, &status); -+ /* gnutls_certificate_verify_peers2() chains to -+ * gnutls_x509_trust_list_verify_crt2(). That function's documentation says: -+ * -+ * When a certificate chain of cert_list_size with more than one -+ * certificates is provided, the verification status will apply to -+ * the first certificate in the chain that failed -+ * verification. The verification process starts from the end of -+ * the chain (from CA to end certificate). The first certificate -+ * in the chain must be the end-certificate while the rest of the -+ * members may be sorted or not. -+ * -+ * This is why tls_check_certificate() loops from CA to host in that order, -+ * calling the menu, and recalling tls_verify_peers() for each approved -+ * cert in the chain. -+ */ -+ verify_ret = gnutls_certificate_verify_peers2 (tlsstate, certstat); -+ -+ /* certstat was set */ - if (!verify_ret) -- return status; -+ return 0; - -- if (status == GNUTLS_E_NO_CERTIFICATE_FOUND) -- { -+ if (verify_ret == GNUTLS_E_NO_CERTIFICATE_FOUND) - mutt_error (_("Unable to get certificate from peer")); -- mutt_sleep (2); -- return 0; -- } -- if (verify_ret < 0) -- { -+ else - mutt_error (_("Certificate verification error (%s)"), -- gnutls_strerror (status)); -- mutt_sleep (2); -- return 0; -- } -- -- /* We only support X.509 certificates (not OpenPGP) at the moment */ -- if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509) -- { -- mutt_error (_("Certificate is not X.509")); -- mutt_sleep (2); -- return 0; -- } -+ gnutls_strerror (verify_ret)); - -- return status; -+ mutt_sleep (2); -+ return verify_ret; - } - -+/* Returns 1 on success. -+ * 0 on failure. -+ */ - static int tls_check_certificate (CONNECTION* conn) - { - tlssockdata *data = conn->sockdata; -@@ -1133,15 +1149,16 @@ static int tls_check_certificate (CONNECTION* conn) - gnutls_certificate_status_t certstat; - int certerr, i, preauthrc, savedcert, rc = 0; - int rcpeer = -1; /* the result of tls_check_preauth() on the peer's EE cert */ -+ int rcsettrust; - -- if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE) -- { -- mutt_error (_("Unable to get certificate from peer")); -- mutt_sleep (2); -+ /* tls_verify_peers() calls gnutls_certificate_verify_peers2(), -+ * which verifies the auth_type is GNUTLS_CRD_CERTIFICATE -+ * and that get_certificate_type() for the server is GNUTLS_CRT_X509. -+ * If it returns 0, certstat will be set with failure codes for the first -+ * cert in the chain (from CA to host) with an error. -+ */ -+ if (tls_verify_peers (state, &certstat) != 0) - return 0; -- } -- -- certstat = tls_verify_peers (state); - - cert_list = gnutls_certificate_get_peers (state, &cert_list_size); - if (!cert_list) -@@ -1184,12 +1201,15 @@ static int tls_check_certificate (CONNECTION* conn) - - /* add signers to trust set, then reverify */ - if (i && rc) { -- rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i], -- GNUTLS_X509_FMT_DER); -- if (rc != 1) -- dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc)); -+ rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred, -+ &cert_list[i], -+ GNUTLS_X509_FMT_DER); -+ if (rcsettrust != 1) -+ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rcsettrust)); -+ -+ if (tls_verify_peers (state, &certstat) != 0) -+ return 0; - -- certstat = tls_verify_peers (state); - /* If the cert chain now verifies, and the peer's cert was otherwise - * valid (rcpeer==0), we are done. - */ --- -2.27.0 - diff --git a/CVE-2020-14154-2.patch b/CVE-2020-14154-2.patch deleted file mode 100644 index bcbc3d047ad56c7d5b5c7199ca4cc17e1b8d9d4f..0000000000000000000000000000000000000000 --- a/CVE-2020-14154-2.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5fccf603ebcf352ba783136d6b2d2600d811fb3b Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Fri, 5 Jun 2020 18:16:31 -0700 -Subject: [PATCH] Abort GnuTLS certificate check if a cert in the chain is - rejected. - -GnuTLS is not checking dates because we disabled that in -tls_negotiate(). - -So if we don't do this, rejecting an expired intermediate cert will -have no effect. Certstat won't contain an expiration error, and -tls_check_preauth() will only look at each subsequent cert in the -chain's dates. ---- - mutt_ssl_gnutls.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c -index 19d47b3..6f98f50 100644 ---- a/mutt_ssl_gnutls.c -+++ b/mutt_ssl_gnutls.c -@@ -1199,8 +1199,12 @@ static int tls_check_certificate (CONNECTION* conn) - rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host, - i, cert_list_size); - -+ /* Stop checking if the menu cert is aborted or rejected. */ -+ if (!rc) -+ break; -+ - /* add signers to trust set, then reverify */ -- if (i && rc) { -+ if (i) { - rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred, - &cert_list[i], - GNUTLS_X509_FMT_DER); --- -2.27.0 - diff --git a/CVE-2020-14154-3.patch b/CVE-2020-14154-3.patch deleted file mode 100644 index 8111537644a999d770c7e3533a1d2f7f1ba0305d..0000000000000000000000000000000000000000 --- a/CVE-2020-14154-3.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f64ec1deefb67d471a642004e102cd1c501a1db3 Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Sat, 6 Jun 2020 20:03:56 -0700 -Subject: [PATCH] Fix GnuTLS interactive prompt short-circuiting. - -tls_verify_peers() doesn't verify expiration dates. So aborting early -because of a 0 certstat and the leaf passing tls_check_preauth() does -not mean subsequent intermediate certs are okay: they could beexpired. - -In the saved-cert preauth loop, instead of just noting the -tls_check_preauth() rc for the leaf, note the highest cert that passes -preauth. - -Then, in the interactive loop (which goes in the opposite order, from -CA to leaf) check that value instead. Since we are trusting certs one -by one, anything that passed in the previous loop will certainly pass -the preauth check at the beginning of tls_check_one_certificate(). ---- - mutt_ssl_gnutls.c | 17 ++++++----------- - 1 file changed, 6 insertions(+), 11 deletions(-) - -diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c -index 6f98f50..09d628a 100644 ---- a/mutt_ssl_gnutls.c -+++ b/mutt_ssl_gnutls.c -@@ -1148,7 +1148,7 @@ static int tls_check_certificate (CONNECTION* conn) - unsigned int cert_list_size = 0; - gnutls_certificate_status_t certstat; - int certerr, i, preauthrc, savedcert, rc = 0; -- int rcpeer = -1; /* the result of tls_check_preauth() on the peer's EE cert */ -+ int max_preauth_pass = -1; - int rcsettrust; - - /* tls_verify_peers() calls gnutls_certificate_verify_peers2(), -@@ -1176,13 +1176,8 @@ static int tls_check_certificate (CONNECTION* conn) - rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i, - &certerr, &savedcert); - preauthrc += rc; -- if (i == 0) -- { -- /* This is the peer's end-entity X.509 certificate. Stash the result -- * to check later in this function. -- */ -- rcpeer = rc; -- } -+ if (!preauthrc) -+ max_preauth_pass = i; - - if (savedcert) - { -@@ -1214,10 +1209,10 @@ static int tls_check_certificate (CONNECTION* conn) - if (tls_verify_peers (state, &certstat) != 0) - return 0; - -- /* If the cert chain now verifies, and the peer's cert was otherwise -- * valid (rcpeer==0), we are done. -+ /* If the cert chain now verifies, and all lower certs already -+ * passed preauth, we are done. - */ -- if (!certstat && !rcpeer) -+ if (!certstat && (max_preauth_pass >= i - 1)) - return 1; - } - } --- -2.27.0 - diff --git a/CVE-2020-28896.patch b/CVE-2020-28896.patch deleted file mode 100644 index 7d37af04063b28a83ab0bb88e6920189c5ba80ca..0000000000000000000000000000000000000000 --- a/CVE-2020-28896.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7a0bd4a7535eba5a6c7893803091a7d6e07cc15d Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Thu, 7 Jan 2021 10:43:55 +0800 -Subject: [PATCH] Ensure IMAP connection is closed after a connection error. - ---- - imap/imap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/imap/imap.c b/imap/imap.c -index 0c3b79d..5256035 100644 ---- a/imap/imap.c -+++ b/imap/imap.c -@@ -508,9 +508,9 @@ int imap_open_connection (IMAP_DATA* idata) - - #if defined(USE_SSL) - err_close_conn: -- imap_close_connection (idata); - #endif - bail: -+ imap_close_connection (idata); - FREE (&idata->capstr); - return -1; - } --- -2.23.0 - diff --git a/CVE-2021-3181.patch b/CVE-2021-3181.patch deleted file mode 100644 index 6688f4d7337f602a2b415c5a6684f89929998d12..0000000000000000000000000000000000000000 --- a/CVE-2021-3181.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Sun, 17 Jan 2021 10:40:37 -0800 -Subject: [PATCH] Fix memory leak parsing group addresses without a display - name. - -When there was a group address terminator with no previous -addresses (including the group display-name), an address would be -allocated but not attached to the address list. - -Change this to only allocate when last exists. - -It would be more correct to not allocate at all unless we are inside a -group list, but I will address that in a separate commit to master. ---- - rfc822.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/rfc822.c b/rfc822.c -index 7ff4eaa3..ced619f2 100644 ---- a/rfc822.c -+++ b/rfc822.c -@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s) - #endif - - /* add group terminator */ -- cur = rfc822_new_address (); - if (last) - { -- last->next = cur; -- last = cur; -+ last->next = rfc822_new_address (); -+ last = last->next; - } - - phraselen = 0; --- -GitLab - diff --git a/backport-CVE-2020-14093-1.patch b/backport-CVE-2020-14093-1.patch deleted file mode 100644 index b85629d7fbfda8d3c0862432ea2346f8c1cab0c8..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-14093-1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Sun, 14 Jun 2020 11:30:00 -0700 -Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is similar to CVE-2014-2567 and CVE-2020-12398. STARTTLS is not -allowed in the Authenticated state, so previously Mutt would -implicitly mark the connection as authenticated and skip any -encryption checking/enabling. - -No credentials are exposed, but it does allow messages to be sent to -an attacker, via postpone or fcc'ing for instance. - -Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the -connection if it is unencrypted. - -Thanks very much to Damian Poddebniak and Fabian Ising from the -Münster University of Applied Sciences for reporting this issue, and -their help in testing the fix. ---- - imap/imap.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/imap/imap.c b/imap/imap.c -index 63362176..3ca10df4 100644 ---- a/imap/imap.c -+++ b/imap/imap.c -@@ -493,6 +493,22 @@ int imap_open_connection (IMAP_DATA* idata) - } - else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0) - { -+#if defined(USE_SSL) -+ /* An unencrypted PREAUTH response is most likely a MITM attack. -+ * Require a confirmation. */ -+ if (!idata->conn->ssf) -+ { -+ if (option(OPTSSLFORCETLS) || -+ (query_quadoption (OPT_SSLSTARTTLS, -+ _("Abort unencrypted PREAUTH connection?")) != MUTT_NO)) -+ { -+ mutt_error _("Encrypted connection unavailable"); -+ mutt_sleep (1); -+ goto err_close_conn; -+ } -+ } -+#endif -+ - idata->state = IMAP_AUTHENTICATED; - if (imap_check_capabilities (idata) != 0) - goto bail; diff --git a/backport-CVE-2020-14093-2.patch b/backport-CVE-2020-14093-2.patch deleted file mode 100644 index e7066a431163db22a564213b898aa47c4fca5007..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-14093-2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From bfb4ba6e6e742d3ca1a23697228fdddc957819a6 Mon Sep 17 00:00:00 2001 -From: Kevin McCarthy -Date: Sat, 20 Jun 2020 06:35:35 -0700 -Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use. - -$tunnel is used to create an external encrypted connection. The default of $ssl_starttls is yes, meaning those kinds of connections will be broken by the CVE-2020-14093 fix. ---- - imap/imap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/imap/imap.c b/imap/imap.c -index 17d1411..a41ed46 100644 ---- a/imap/imap.c -+++ b/imap/imap.c -@@ -495,8 +495,8 @@ int imap_open_connection (IMAP_DATA* idata) - { - #if defined(USE_SSL) - /* An unencrypted PREAUTH response is most likely a MITM attack. -- * Require a confirmation. */ -- if (!idata->conn->ssf) -+ * Require a confirmation unless using $tunnel. */ -+ if (!idata->conn->ssf && !Tunnel) - { - if (option(OPTSSLFORCETLS) || - (query_quadoption (OPT_SSLSTARTTLS, --- -2.23.0 - diff --git a/mutt-1.10.0-muttrc.patch b/mutt-1.10.0-muttrc.patch index 5dfc7546b1eeb8f1143de8300a51b1ee40e58aaf..ab11c1e8c943d4d241c6aaaa4db7261cf6810fca 100644 --- a/mutt-1.10.0-muttrc.patch +++ b/mutt-1.10.0-muttrc.patch @@ -1,7 +1,7 @@ diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head --- mutt-1.8.0.orig/doc/Muttrc.head 2017-02-25 15:28:22.120997474 +0000 +++ mutt-1.8.0/doc/Muttrc.head 2017-02-25 15:30:10.643079681 +0000 -@@ -24,12 +24,16 @@ +@@ -24,13 +24,17 @@ # Show documentation when pressing F1 macro generic,pager " less @docdir@/manual.txt" "show Mutt documentation" @@ -9,8 +9,9 @@ diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head +macro generic,pager " less @docdir@/manual.txt" "show Mutt documentation" # show the incoming mailboxes list (just like "mutt -y") and back when pressing "y" - macro index y "?" "show incoming mailboxes list" - macro pager y "?" "show incoming mailboxes list" + # note: these macros have been subsumed by the function. + # macro index y "?" "show incoming mailboxes list" + # macro pager y "?" "show incoming mailboxes list" bind browser y exit +bind editor delete-char diff --git a/mutt-1.12.1-optusegpgagent.patch b/mutt-1.12.1-optusegpgagent.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e0f933bc631c3f87600bbfc230fe4fa3bbf27a7 --- /dev/null +++ b/mutt-1.12.1-optusegpgagent.patch @@ -0,0 +1,13 @@ +diff --git a/init.h b/init.h +index acc7d8b..14d417c 100644 +--- a/init.h ++++ b/init.h +@@ -2444,7 +2444,7 @@ struct option_t MuttVars[] = { + ** subprocess failed. + ** (PGP only) + */ +- { "pgp_check_gpg_decrypt_status_fd", DT_BOOL, R_NONE, {.l=OPTPGPCHECKGPGDECRYPTSTATUSFD}, {.l=1} }, ++ { "pgp_check_gpg_decrypt_status_fd", DT_BOOL, R_NONE, {.l=OPTPGPCHECKGPGDECRYPTSTATUSFD}, {.l=0} }, + /* + ** .pp + ** If \fIset\fP, mutt will check the status file descriptor output diff --git a/mutt-1.5.23-system_certs.patch b/mutt-1.5.23-system_certs.patch index 41d78409c2e562312bf098af36e99acb9c0307f0..b5697883cde4ac30acba7fcf0a6c045c9314eaf1 100644 --- a/mutt-1.5.23-system_certs.patch +++ b/mutt-1.5.23-system_certs.patch @@ -5,8 +5,8 @@ diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95-new/init.h */ #if defined(USE_SSL) #ifdef USE_SSL_GNUTLS -- { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, 0 }, -+ { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, "/etc/ssl/certs/ca-bundle.crt" }, +- { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p=0} }, ++ { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p="/etc/ssl/certs/ca-bundle.crt"} }, /* ** .pp ** This variable specifies a file containing trusted CA certificates. diff --git a/mutt-1.8.0-cabundle.patch b/mutt-1.8.0-cabundle.patch index 37524741a504ed2486f07754598a7dc576bca41e..e64f0912aba760e032134c6c22dcf31fdc5ca589 100644 --- a/mutt-1.8.0-cabundle.patch +++ b/mutt-1.8.0-cabundle.patch @@ -1,15 +1,15 @@ diff -ur mutt-1.8.0.orig/contrib/Makefile.am mutt-1.8.0/contrib/Makefile.am --- mutt-1.8.0.orig/contrib/Makefile.am 2017-02-25 15:28:22.124997366 +0000 +++ mutt-1.8.0/contrib/Makefile.am 2017-02-25 15:48:10.834036861 +0000 -@@ -5,7 +5,7 @@ - SAMPLES = Mush.rc Pine.rc gpg.rc pgp2.rc pgp5.rc pgp6.rc Tin.rc \ +@@ -6,7 +6,7 @@ sample.mailcap sample.muttrc sample.muttrc-sidebar sample.muttrc-tlr \ - sample.muttrc-compress sample.vimrc-sidebar colors.default colors.linux smime.rc \ -- ca-bundle.crt smime_keys_test.pl mutt_xtitle -+ smime_keys_test.pl mutt_xtitle + sample.muttrc-compress sample.muttrc-starter \ + sample.vimrc-sidebar colors.default colors.linux smime.rc \ +- ca-bundle.crt smime_keys_test.pl mutt_xtitle markdown2html \ ++ smime_keys_test.pl mutt_xtitle markdown2html \ + bgedit-detectgui.sh bgedit-screen-tmux.sh \ + mutt_oauth2.py mutt_oauth2.py.README - EXTRA_DIST = language.txt language50.txt \ - patch.slang-1.2.2.keypad.1 \ diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt --- mutt-1.8.0.orig/doc/smime-notes.txt 2017-02-25 15:28:22.119997501 +0000 +++ mutt-1.8.0/doc/smime-notes.txt 2017-02-25 16:06:38.986242390 +0000 @@ -26,3 +26,4 @@ diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt signed by one of them. You can use "smime_keys add_root" to do so, or just copy ca-bundle.crt into the place you point mutt's smime_ca_location variable to. + diff --git a/mutt-1.9.0-ssl_ciphers.patch b/mutt-1.9.0-ssl_ciphers.patch index 1440189cdf603c83dfb6085bee4ed6020054e1b5..4f72310a887cc86dee6ade3b03042471bd798179 100644 --- a/mutt-1.9.0-ssl_ciphers.patch +++ b/mutt-1.9.0-ssl_ciphers.patch @@ -5,28 +5,28 @@ diff -ur mutt-1.9.0.orig/init.h mutt-1.9.0/init.h */ # endif /* defined HAVE_SSL_PARTIAL_CHAIN */ # endif /* defined USE_SSL_OPENSSL */ -- { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 }, -+ { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL "@SYSTEM" }, +- { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p=0} }, ++ { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p="@SYSTEM"} }, /* ** .pp - ** Contains a colon-seperated list of ciphers to use when using SSL. + ** Contains a colon-separated list of ciphers to use when using SSL. diff -ur mutt-1.9.0.orig/mutt_ssl_gnutls.c mutt-1.9.0/mutt_ssl_gnutls.c --- mutt-1.9.0.orig/mutt_ssl_gnutls.c 2017-09-04 16:48:21.403528134 +0200 +++ mutt-1.9.0/mutt_ssl_gnutls.c 2017-09-04 16:51:16.081679141 +0200 @@ -286,6 +286,8 @@ else - safe_strcat (priority, priority_size, "NORMAL"); + mutt_buffer_strcpy (priority, "NORMAL"); +if (SslCiphers && strcmp(SslCiphers, "@SYSTEM")) +{ - if (! option(OPTTLSV1_2)) + if (!option (OPTTLSV1_3)) { nproto--; @@ -313,6 +315,7 @@ - FREE (&priority); - return -1; + mutt_error (_("All available protocols for TLS/SSL connection disabled")); + goto cleanup; } +} - if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0) + if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0) { diff --git a/mutt-1.9.4-lynx_no_backscapes.patch b/mutt-1.9.4-lynx_no_backscapes.patch index fefa8e65c97063b6864b485d13299e127fea9772..6faffd3ebbbb162451b7748159d69e5d745c84bd 100644 --- a/mutt-1.9.4-lynx_no_backscapes.patch +++ b/mutt-1.9.4-lynx_no_backscapes.patch @@ -5,8 +5,8 @@ diff -up mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes mutt-1.9.1/doc/Makefile.a check: manual.txt: manual.html -- -LC_ALL=C lynx -dump -nolist -with_backspaces -display_charset=us-ascii manual.html > $@ || \ -+ -LC_ALL=C lynx -dump -nolist -display_charset=us-ascii manual.html > $@ || \ - LC_ALL=C w3m -dump manual.html > $@ || \ +- -LC_ALL=C lynx -localhost -dump -nolist -nonumbers -with_backspaces -display_charset=us-ascii manual.html > $@ || \ ++ -LC_ALL=C lynx -localhost -dump -nolist -display_charset=us-ascii manual.html > $@ || \ + LC_ALL=C w3m -T text/html -I utf-8 -O utf-8 -dump < manual.html > $@ || \ LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@ diff --git a/mutt-1.10.1.tar.gz b/mutt-2.1.3.tar.gz similarity index 35% rename from mutt-1.10.1.tar.gz rename to mutt-2.1.3.tar.gz index 72d3f0952458e6dc3e35831974c74d541c7eca37..b08d4ae6c0d1ee6922dd9379d5a15e6a49724f1e 100644 Binary files a/mutt-1.10.1.tar.gz and b/mutt-2.1.3.tar.gz differ diff --git a/mutt.spec b/mutt.spec index 0be93c78cca2c4d3b197188c2775be9e7736b1db..9afcebb143a1b7c161fbab42955c52034aa63303 100644 --- a/mutt.spec +++ b/mutt.spec @@ -1,6 +1,6 @@ Name: mutt -Version: 1.10.1 -Release: 7 +Version: 2.1.3 +Release: 1 Epoch: 5 Summary: Text-based mail client License: GPLv2+ and Public Domain @@ -8,20 +8,14 @@ URL: http://www.mutt.org Source: ftp://ftp.mutt.org/pub/%{name}/%{name}-%{version}.tar.gz Source1: mutt_ldap_query -Patch10: mutt-1.9.4-lynx_no_backscapes.patch -Patch12: mutt-1.9.5-nodotlock.patch -Patch1: mutt-1.10.0-muttrc.patch -Patch2: mutt-1.8.0-cabundle.patch -Patch3: mutt-1.7.0-syncdebug.patch -Patch8: mutt-1.5.23-system_certs.patch -Patch9: mutt-1.9.0-ssl_ciphers.patch -Patch13: CVE-2020-28896.patch -Patch14: CVE-2021-3181.patch -Patch15: backport-CVE-2020-14093-1.patch -Patch16: backport-CVE-2020-14093-2.patch -Patch17: CVE-2020-14154-1.patch -Patch18: CVE-2020-14154-2.patch -Patch19: CVE-2020-14154-3.patch +Patch1: mutt-1.5.23-system_certs.patch +Patch2: mutt-1.7.0-syncdebug.patch +Patch3: mutt-1.8.0-cabundle.patch +Patch4: mutt-1.9.0-ssl_ciphers.patch +Patch5: mutt-1.9.4-lynx_no_backscapes.patch +Patch6: mutt-1.9.5-nodotlock.patch +Patch7: mutt-1.10.0-muttrc.patch +Patch8: mutt-1.12.1-optusegpgagent.patch BuildRequires: gcc ncurses-devel gettext automake /usr/bin/xsltproc BuildRequires: lynx docbook-style-xsl perl-interpreter perl-generators @@ -90,6 +84,8 @@ EOF echo "# Local configuration for Mutt." > \ %{buildroot}%{_sysconfdir}/Muttrc.local +rm %{buildroot}%{_infodir}/dir + ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 %find_lang %{name} @@ -103,7 +99,7 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 %config(noreplace) %{_sysconfdir}/Muttrc %config(noreplace) %{_sysconfdir}/Muttrc.local %{_bindir}/mutt -%{_bindir}/pgpring +%{_bindir}/mutt_pgpring %{_bindir}/pgpewrap %{_bindir}/smime_keys %exclude %{_sysconfdir}/*.dist @@ -121,11 +117,18 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 %files help %{_mandir}/man1/mutt.* %{_mandir}/man1/smime_keys.* -%{_mandir}/man1/pgpring.* +%{_mandir}/man1/mutt_pgpring.* %{_mandir}/man1/pgpewrap.* %{_mandir}/man5/muttrc.* +%{_infodir}/mutt.info.* %changelog +* Fri Dec 03 2021 quanhongfei - 2.1.3-1 +- Type:requirements +- Id:NA +- SUG:NA +- DESC:update mutt to 2.1.3 + - Fri Oct 15 2021 yaoxin - 1.10.1-7 - fix CVE-2020-14154