[20.09] mutt: fix for CVE-2021-3181 #110692
Conversation
| @@ -40,6 +40,8 @@ stdenv.mkDerivation rec { | |||
| url = "https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a.patch"; | |||
| sha256 = "117mm757yj4k4cb9f1cmc9p0dqmi2mf92qsxvi8a794b9kdj5m2z"; | |||
| }) | |||
| # CVE-2021-3181 | |||
| ./CVE-2021-3181.patch | |||
There was a problem hiding this comment.
Can you use fetchpatch instead of pulling the file into nixpkgs? See the line just above.
There was a problem hiding this comment.
Sure. It is 3 commits though, all 3 referenced by the CVE.
Thank you for opening a PR, however I think we should wait to for the CVE evaluation before backporting this: I'm not even sure this is the only commit that needs to be backported. I could try asking the maintainers in the meantime. |
tu-maurice
force-pushed
the
mutt-cve-2021-3181
branch
from
b20d244
to
72a720d
Compare
I thought so. I didn't expect this to get merged, I just wanted to have a go at it and thought might as well also upload it. I'll set this to draft but I can close it if there's no reason to keep it. |
|
@tu-maurice: I asked in the #mutt IRC channel and they told me only the first patch is needed to fix the CVE. The second should probably not be backported and the third is unrelated. |
tu-maurice
force-pushed
the
mutt-cve-2021-3181
branch
from
72a720d
to
83a11ea
Compare
|
Alright, first patch only. Here you go. 😄 |
|
There is a hash mismatch for the patch... look at the log. |
|
@rnhmjoj No idea what was downloaded in this log, but even repeatedly downloading and checking the patch provides me with the hash I specified in the commit. Maybe ofborg received something else? like an error page? |
|
No, I'm getting the same hash as of ofBorg's. Can you share the result of fetchpatch, for comparison? |
tu-maurice
force-pushed
the
mutt-cve-2021-3181
branch
from
83a11ea
to
ed5e212
Compare
|
The difference was that fetchpatch removes unnecessary lines from the patch while nix-prefetch-url, which I used to get the hash initially, does not. I was able to build mutt successfully on my machine because fetchpatch did not download and alter the patch again because there already was an entry in my nix store with that hash provided by nix-prefetch-url. That obviously did not work for ofborg or you. |
Oh yeah, that's a common pitfall with Looks good to go. |
|
Thank you! |
Motivation for this change
In #110449 the CVE-2021-3181 was addressed for unstable, however the consensus seems to be that we cannot update mutt from 1.14.7 to 2.0.5 on release-20.09 due to breaking changes in version 2, and thus have to backport the patches.
I realized the patches referenced in the CVE apply rather cleanly to the 1.14.7 sources as well. It builds without errors and the resulting binary starts. However I am not a mutt user, just a guy with a little spare time. So I would require the maintainer @rnhmjoj and other users of mutt to try this out before merging.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)