mutt 2.2.3 released

Kevin J. McCarthy kevin at 8t8.us
Tue Apr 12 20:16:44 UTC 2022


Hello Mutt Users,

I've just released version 2.2.3.  Instructions for downloading are 
available at <http://www.mutt.org/download.html>, or the tarball can be 
directly downloaded from <http://ftp.mutt.org/pub/mutt/>.  Please take 
the time to verify the signature file against my public key[1].

This is a bug-fix release, addressing CVE-2022-1328: a buffer overread 
in the uuencoded decoder routine.  For more details please see GitLab 
ticket 404: <https://gitlab.com/muttmua/mutt/-/issues/404>.  The commit 
fixing this issue is at 
<https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5>

Also fixed were a possible integer overflow issue in the general iconv 
and rfc2047-conversion iconv functions.  These are not believed to be 
exploitable.

A huge thank you to Tavis Ormandy for reporting these issues, suggesting 
a patch for the iconv issue, helping test, and providing constructive 
feedback.  Hurray for the white-hats!

-Kevin

[1]
My public key is available at:
   - my personal website: https://www.8t8.us/configs/80316BDA.asc.pubkey
   - the mutt website: http://www.mutt.org/keys/kevin.key
   - The keys.openpgp.org network
     https://keys.openpgp.org/vks/v1/by-fingerprint/8975A9B33AA37910385C5308ADEF768480316BDA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-users/attachments/20220412/8069e6d5/attachment.asc>


More information about the Mutt-users mailing list