openSUSE Security Update: Security update for neomutt
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10020-1
Rating:             moderate
References:         #1184787 #1185705 
Cross-References:   CVE-2021-32055 CVE-2022-1328
CVSS scores:
                    CVE-2021-32055 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
                    CVE-2021-32055 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2022-1328 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-1328 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for neomutt fixes the following issues:

   neomutt was updated to 20220429:

   * Bug Fixes
   * Do not crash on an invalid use_threads/sort combination
   * Fix: stuck browser cursor
   * Resolve (move) the cursor after 
   * Index: fix menu size on new mail
   * Don't overlimit LMDB mmap size
   * OpenBSD y/n translation fix
   * Generic: split out OP_EXIT binding
   * Fix parsing of sendmail cmd
   * Fix: crash with menu_move_off=no
   * Newsrc: bugfix; nntp_user and nntp_pass ignored
   * Menu: ensure config changes cause a repaint
   * Mbox: fix sync duplicates
   * Make sure the index redraws all that's needed
   * Translations
   * 100% Chinese (Simplified)
   * 100% Czech
   * 100% German
   * 100% Hungarian
   * 100% Lithuanian
   * 100% Serbian
   * 100% Turkish
   * Docs
   * add missing pattern modifier ~I for external_search_command
   * Code
   * menu: eliminate custom_redraw()
   * modernise mixmaster
   * Kill global and Propagate display attach status through State-

   neomutt was updated to 20220415:

   * Security
   * Fix uudecode buffer overflow (CVE-2022-1328)
   * Features
   * Colours, colours, colours
   * Bug Fixes
   * Pager: fix pager_stop
   * Merge colours with normal
   * Color: disable mono command
   * Fix forwarding text attachments when honor_disposition is set
   * Pager: drop the nntp change-group bindings
   * Use mailbox_check flags coherently, add IMMEDIATE flag
   * Fix: tagging in attachment list
   * Fix: misalignment of mini-index
   * Make sure to update the menu size after a resort
   * Translations
   * 100% Hungarian
   * Build
   * Update acutest
   * Code
   * Unify pipe functions
   * Index: notify if navigation fails
   * Gui: set colour to be merged with normal
   * Fix: leak in tls_check_one_certificate()
   * Upstream
   * Flush iconv() in mutt_convert_string()
   * Fix integer overflow in mutt_convert_string()
   * Fix uudecode cleanup on unexpected eof

   update to 20220408:

   * Compose multipart emails
   * Fix screen mode after attempting decryption
   * imap: increase max size of oauth2 token
   * Fix autocrypt
   * Unify Alias/Query workflow
   * Fix colours
   * Say which file exists when saving attachments
   * Force SMTP authentication if `smtp_user` is set
   * Fix selecting the right email after limiting
   * Make sure we have enough memory for a new email
   * Don't overwrite with zeroes after unlinking the file
   * Fix crash when forwarding attachments
   * Fix help reformatting on window resize
   * Fix poll to use PollFdsCount and not PollFdsLen
   * regex: range check arrays strictly
   * Fix Coverity defects
   * Fix out of bounds write with long log lines
   * Apply `fast_reply` to 'to', 'cc', or 'bcc'
   * Prevent warning on empty emails
   * New default: `set rfc2047_parameters = yes`
   * 100% German
   * 100% Lithuanian
   * 100% Serbian
   * 100% Czech
   * 100% Turkish
   * 72% Hungarian
   * Improve header cache explanation
   * Improve description of some notmuch variables
   * Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()`
   * Document config synonyms and deprecations
   * Create lots of GitHub Actions
   * Drop TravisCI
   * Add automated Fuzzing tests
   * Add automated ASAN tests
   * Create Dockers for building Centos/Fedora
   * Build fixes for Solaris 10
   * New libraries: browser, enter, envelope
   * New configure options: `--fuzzing` `--debug-color` `--debug-queue`
   * Split Index/Pager GUIs/functions
   * Add lots of function dispatchers
   * Eliminate `menu_loop()`
   * Refactor function opcodes
   * Refactor cursor setting
   * Unify Alias/Query functions
   * Refactor Compose/Envelope functions
   * Modernise the Colour handling
   * Refactor the Attachment View
   * Eliminate the global `Context`
   * Upgrade `mutt_get_field()`
   * Refactor the `color quoted` code
   * Fix lots of memory leaks
   * Refactor Index resolve code
   * Refactor PatternList parsing
   * Refactor Mailbox freeing
   * Improve key mapping
   * Factor out charset hooks
   * Expose mutt_file_seek API
   * Improve API of `strto*` wrappers
   * imap QRESYNC fixes
   * Allow an empty To: address prompt
   * Fix argc==0 handling
   * Don't queue IMAP close commands
   * Fix IMAP UTF-7 for code points >= U+10000
   * Don't include inactive messages in msgset generation

   update to 20211029 (boo#1185705, CVE-2021-32055):

   * Notmuch: support separate database and mail roots without .notmuch
   * fix notmuch crash on open failure
   * fix crypto crash handling pgp keys
   * fix ncrypt/pgp file_get_size return check
   * fix restore case-insensitive header sort
   * fix pager redrawing of long lines
   * fix notmuch: check database dir for xapian dir
   * fix notmuch: update index count after 
   * fix protect hash table against empty keys
   * fix prevent real_subj being set but empty
   * fix leak when saving fcc
   * fix leak after 
   * fix leak after trash to hidden mailbox
   * fix leak restoring postponed emails
   * fix new mail notifications
   * fix pattern compilation error for ( !>(~P) )
   * fix menu display on window resize
   * Stop batch mode emails with no argument or recipients
   * Add sanitize call in print mailcap function
   * fix hdr_order to use the longest match
   * fix (un)setenv to not return an error with unset env vars
   * fix Imap sync when closing a mailbox
   * fix segfault on OpenBSD current
   * sidebar: restore sidebar_spoolfile colour
   * fix assert when displaying a file from the browser
   * fix exec command in compose
   * fix check_stats for Notmuch mailboxes
   * Fallback: Open Notmuch database without config
   * fix gui hook commands on startup
   * threads: implement the $use_threads feature
   * https://neomutt.org/feature/use-threads
   * hooks: allow a -noregex param to folder and mbox hooks
   * mailing lists: implement list-(un)subscribe using RFC2369 headers
   * mailcap: implement x-neomutt-nowrap flag
   * pager: add $local_date_header option
   * imap, smtp: add support for authenticating using XOAUTH2
   * Allow  to fail quietly
   * imap: speed up server-side searches
   * pager: improve skip-quoted and skip-headers
   * notmuch: open database with user's configuration
   * notmuch: implement 
   * config: allow += modification of my_ variables
   * notmuch: tolerate file renames behind neomutt's back
   * pager: implement $pager_read_delay
   * notmuch: validate nm_query_window_timebase
   * notmuch: make $nm_record work in non-notmuch mailboxes
   * compose: add $greeting - a welcome message on top of emails
   * notmuch: show additional mail in query windows
   * imap: fix crash on external IMAP events
   * notmuch: handle missing libnotmuch version bumps
   * imap: add sanity check for qresync
   * notmuch: allow windows with 0 duration
   * index: fix index selection on 
   * imap: fix crash when sync'ing labels
   * search: fix searching by Message-Id in 
   * threads: fix double sorting of threads
   * stats: don't check mailbox stats unless told
   * alias: fix crash on empty query
   * pager: honor mid-message config changes
   * mailbox: don't propagate read-only state across reopens
   * hcache: fix caching new labels in the header cache
   * crypto: set invalidity flags for gpgme/smime keys
   * notmuch: fix parsing of multiple type=
   * notmuch: validate $nm_default_url
   * messages: avoid unnecessary opening of messages
   * imap: fix seqset iterator when it ends in a comma
   * build: refuse to build without pcre2 when pcre2 is linked in ncurses


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10020=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):

      neomutt-20220429-bp154.2.3.1

   - openSUSE Backports SLE-15-SP4 (noarch):

      neomutt-doc-20220429-bp154.2.3.1
      neomutt-lang-20220429-bp154.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-32055.html
   https://www.suse.com/security/cve/CVE-2022-1328.html
   https://bugzilla.suse.com/1184787
   https://bugzilla.suse.com/1185705