Bug 251277 - mail/mutt: Update to 2.0.2
Summary: mail/mutt: Update to 2.0.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Fernando Apesteguía
URL: https://marc.info/?l=mutt-users&m=160...
Keywords: buildisok, security
Depends on:
Blocks:
 
Reported: 2020-11-20 20:46 UTC by Derek Schrock
Modified: 2020-11-23 08:26 UTC (History)
2 users (show)

See Also:
fernape: merge-quarterly+

Attachments
Update to 2.0.2 (1.48 KB, patch)
2020-11-20 20:46 UTC, Derek Schrock 		dereks: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Derek Schrock 2020-11-20 20:46:09 UTC 
Created attachment 219839 [details]
Update to 2.0.2

- Update to 2.0.2 [1] security fix CVE-2020-28896

[1] https://marc.info/?l=mutt-users&m=160589518808669&w=2

portlint: ok. 1 expected warning.
testport: ok. 121amd64.
Comment 1 Automation User 2020-11-20 21:16:50 UTC 
Build and package info is available at https://gitlab.com/swills/freebsd-ports/pipelines/219288715
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-11-22 18:23:31 UTC 
A commit references this bug:

Author: fernape
Date: Sun Nov 22 18:23:26 UTC 2020
New revision: 556068
URL: https://svnweb.freebsd.org/changeset/ports/556068

Log:
  mail/mutt: Update to 2.0.2

  ChangeLog: https://marc.info/?l=mutt-users&m=160589518808669&w=2

  vuxml entry in PR: 251278

  PR:	251277
  Submitted by:	dereks@lifeofadishwasher.com
  MFH:	2020Q4 (blanket, security fix)

Changes:
  head/mail/mutt/Makefile
  head/mail/mutt/distinfo
Comment 3 Fernando Apesteguía freebsd_committer freebsd_triage 2020-11-22 18:29:15 UTC 
Committed,

Derek, according to the CVE report, only 2.0.1 is affected and we don't have that in 2020Q4 (it is 1.14.7) so there is no need to MFH, right?

Thanks!
Comment 4 Derek Schrock 2020-11-22 19:04:39 UTC 
No, I'm pretty sure it's <2.0.1 the code that's using goto bail is 15+ years old.

I don't know if that CVE is fully documented.  Where are you finding it's just 2.0.1?
Comment 5 Fernando Apesteguía freebsd_committer freebsd_triage 2020-11-22 19:15:52 UTC 
(In reply to Derek Schrock from comment #4)

Here it says it affects 2.0.1:
https://security.archlinux.org/CVE-2020-28896

Here it says the code is only reserved:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
https://bugs.launchpad.net/bugs/cve/2020-28896
Comment 6 Derek Schrock 2020-11-22 19:47:50 UTC 
I think the way it's presented there is misleading.

If you read the description it's "before 2.0.2" however the line items does say 2.0.1 but I don't believe that's the intent of that line item.

Also, I just confirmed with upstream it's <2.0.2.  This should be MFH.

If MFH I'm assuming it's svncopy'ed to the Q-branch?  The same patch wouldn't work there.
Comment 7 Fernando Apesteguía freebsd_committer freebsd_triage 2020-11-22 20:05:29 UTC 
(In reply to Derek Schrock from comment #6)
Yes, it is copied.


Why won't it work?
Comment 8 Derek Schrock 2020-11-22 20:06:58 UTC 
(In reply to Fernando Apesteguía from comment #7)

The patch context would be different and would fail to apply.  However, since it's copied it's fine.
Comment 9 Fernando Apesteguía freebsd_committer freebsd_triage 2020-11-22 20:17:44 UTC 
(In reply to Derek Schrock from comment #8)
Oh, okay. I thought you meant something on the terms of missing dependencies on 2020Q4 or so.

Yes, the merge will generate a conflict but it can be solved.
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-11-23 08:20:52 UTC 
A commit references this bug:

Author: fernape
Date: Mon Nov 23 08:19:57 UTC 2020
New revision: 556093
URL: https://svnweb.freebsd.org/changeset/ports/556093

Log:
  MFH: r556068

  mail/mutt: Update to 2.0.2

  ChangeLog: https://marc.info/?l=mutt-users&m=160589518808669&w=2

  vuxml entry in PR: 251278

  PR:	251277
  Submitted by:	dereks@lifeofadishwasher.com

  Approved by:	ports-secteam (blanket, security fix)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/mail/mutt/Makefile
  branches/2020Q4/mail/mutt/distinfo
  branches/2020Q4/mail/mutt/files/extra-patch-forcebase64
  branches/2020Q4/mail/mutt/files/patch-muttlib.c
  branches/2020Q4/mail/mutt/files/patch-threadcomplete
  branches/2020Q4/mail/mutt/pkg-plist
Comment 11 Fernando Apesteguía freebsd_committer freebsd_triage 2020-11-23 08:26:25 UTC 
Merged.

Build tested in 2020Q4.

Thanks Derek!