11 changed files with 160 additions and 138 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/mutt-2.2.6.tar.gz
+SOURCES/mutt-2.0.7.tar.gz
--- a/.mutt.metadata
+++ b/.mutt.metadata
@ -1 +1 @@
-3dabf53ea1a45e67fe77a5072bb4c104afb2ad1e SOURCES/mutt-2.2.6.tar.gz
+7421d0c5db7e264f00bd8a149f5f92d99c3afa83 SOURCES/mutt-2.0.7.tar.gz
--- a/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_166.patch
+++ b/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_166.patch
@ -0,0 +1,11 @@
+diff -up mutt-1.10.1/query.c.mutt-1.9.3-1_coverity_166 mutt-1.10.1/query.c
+--- mutt-1.10.1/query.c.mutt-1.9.3-1_coverity_166	2018-11-26 11:54:55.078468192 +0100
+++ mutt-1.10.1/query.c	2018-11-26 11:55:12.035710707 +0100
+@@ -443,6 +443,7 @@ static void query_menu (char *buf, size_
+ 	      }
+ 
+ 	    mutt_create_alias (NULL, naddr);
+		rfc822_free_address (&naddr);
+ 	  }
+ 	  else
+ 	  {
--- a/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_181.patch
+++ b/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_181.patch
@ -0,0 +1,12 @@
+diff -up mutt-1.10.1/send.c.mutt-1.9.3-1_coverity_181 mutt-1.10.1/send.c
+--- mutt-1.10.1/send.c.mutt-1.9.3-1_coverity_181	2018-11-26 12:08:42.615216677 +0100
+++ mutt-1.10.1/send.c	2018-11-26 12:08:52.007351542 +0100
+@@ -243,7 +243,7 @@ static int edit_envelope (ENVELOPE *en)
+       if (ascii_strncasecmp ("subject:", uh->data, 8) == 0)
+       {
+ 	p = skip_email_wsp(uh->data + 8);
+-	strncpy (buf, p, sizeof (buf));
+	strfcpy (buf, p, sizeof (buf));
+       }
+     }
+   }
--- a/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_187_188_189_190.patch
+++ b/SOURCES/mutt-1.10.1-mutt-1.9.3-1_coverity_187_188_189_190.patch
@ -0,0 +1,31 @@
+diff -up mutt-1.10.1/sendlib.c.mutt-1.9.3-1_coverity_187_188_189_190 mutt-1.10.1/sendlib.c
+--- mutt-1.10.1/sendlib.c.mutt-1.9.3-1_coverity_187_188_189_190	2018-11-26 12:34:51.007894823 +0100
+++ mutt-1.10.1/sendlib.c	2018-11-26 12:35:08.374143006 +0100
+@@ -1815,11 +1815,15 @@ static int write_one_header (FILE *fp, i
+ 	      NONULL(pfx), valbuf, max, wraplen));
+     if (pfx && *pfx)
+       if (fputs (pfx, fp) == EOF)
+      {
+        FREE(&valbuf);
+ 	return -1;
+      }
+     if (!(t = strchr (valbuf, ':')))
+     {
+       dprint (1, (debugfile, "mwoh: warning: header not in "
+ 		  "'key: value' format!\n"));
+      FREE(&valbuf);
+       return 0;
+     }
+     if (print_val (fp, pfx, valbuf, flags, mutt_strlen (pfx)) < 0)
+@@ -1861,7 +1865,11 @@ static int write_one_header (FILE *fp, i
+ 	      "max width = %d > %d\n",
+ 	      NONULL(pfx), valbuf, max, wraplen));
+     if (fold_one_header (fp, tagbuf, valbuf, pfx, wraplen, flags) < 0)
+    {
+      FREE (&tagbuf);
+      FREE (&valbuf);
+       return -1;
+    }
+     FREE (&tagbuf);
+     FREE (&valbuf);
+   }
--- a/SOURCES/mutt-1.12.1-optusegpgagent.patch
+++ b/SOURCES/mutt-1.12.1-optusegpgagent.patch
@ -1,12 +0,0 @@
-diff -up mutt-1.12.1/init.h.optusegpgagent mutt-1.12.1/init.h
--- mutt-1.12.1/init.h.optusegpgagent	2019-08-29 09:29:38.868810511 +0200
-+++ mutt-1.12.1/init.h	2019-08-29 09:30:29.899395370 +0200
-@@ -2444,7 +2444,7 @@ struct option_t MuttVars[] = {
-   ** not used.
-   ** (PGP only)
-   */
-  { "pgp_use_gpg_agent", DT_BOOL, R_NONE, {.l=OPTUSEGPGAGENT}, {.l=1} },
-+  { "pgp_use_gpg_agent", DT_BOOL, R_NONE, {.l=OPTUSEGPGAGENT}, {.l=0} },
-   /*
-   ** .pp
-   ** If \fIset\fP, mutt expects a \fCgpg-agent(1)\fP process will handle
--- a/SOURCES/mutt-1.5.23-system_certs.patch
+++ b/SOURCES/mutt-1.5.23-system_certs.patch
@ -4,7 +4,7 @@ diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95-new/init.h
@@ -2989,7 +2989,7 @@ struct option_t MuttVars[] = {
   */
 #if defined(USE_SSL)
- # ifdef USE_SSL_GNUTLS
+ #ifdef USE_SSL_GNUTLS
 -  { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p=0} },
 +  { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p="/etc/ssl/certs/ca-bundle.crt"} },
   /*
--- a/SOURCES/mutt-1.9.4-lynx_no_backscapes.patch
+++ b/SOURCES/mutt-1.9.4-lynx_no_backscapes.patch
@ -5,7 +5,7 @@ diff -up mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes mutt-1.9.1/doc/Makefile.a
 
 check:
 manual.txt: manual.html
-	-LC_ALL=C lynx -localhost -dump -nolist -nonumbers -with_backspaces -display_charset=us-ascii manual.html > $@ || \
+-	-LC_ALL=C lynx -localhost -dump -nolist -with_backspaces -display_charset=us-ascii manual.html > $@ || \
 +	-LC_ALL=C lynx -localhost -dump -nolist -display_charset=us-ascii manual.html > $@ || \
 	LC_ALL=C w3m -T text/html -I utf-8 -O utf-8 -dump < manual.html > $@ || \
 	LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@
--- a/SOURCES/mutt-2.0.7-cve-2022-1328.patch
+++ b/SOURCES/mutt-2.0.7-cve-2022-1328.patch
@ -0,0 +1,40 @@
+From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Tue, 5 Apr 2022 11:05:52 -0700
+Subject: [PATCH] Fix uudecode buffer overflow.
+
+mutt_decode_uuencoded() used each line's initial "length character"
+without any validation.  It would happily read past the end of the
+input line, and with a suitable value even past the length of the
+input buffer.
+
+As I noted in ticket 404, there are several other changes that could
+be added to make the parser more robust.  However, to avoid
+accidentally introducing another bug or regression, I'm restricting
+this patch to simply addressing the overflow.
+
+Thanks to Tavis Ormandy for reporting the issue, along with a sample
+message demonstrating the problem.
+---
+ handler.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/handler.c b/handler.c
+index d1b4bc73..c97cf0cb 100644
+--- a/handler.c
+++ b/handler.c
+@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
+     pt = tmps;
+     linelen = decode_byte (*pt);
+     pt++;
+-    for (c = 0; c < linelen;)
+    for (c = 0; c < linelen && *pt;)
+     {
+-      for (l = 2; l <= 6; l += 2)
+      for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
+       {
+ 	out = decode_byte (*pt) << l;
+ 	pt++;
+-- 
+2.34.1
+
--- a/SOURCES/mutt_disable_ssl_enforce.patch
+++ b/SOURCES/mutt_disable_ssl_enforce.patch
@ -0,0 +1,26 @@
+Based on https://gitlab.com/muttmua/mutt/-/commit/9204b24e99767ae06b5df25eca55c028d702528b
+This patch disable enforcing of ssl
+diff -ur mutt-2.0.2/doc/manual.xml.head mutt_patch/doc/manual.xml.head
+--- mutt-2.0.2/doc/manual.xml.head	2020-11-07 21:30:03.000000000 +0100
+++ mutt_patch/doc/manual.xml.head	2021-01-27 20:21:05.964647359 +0100
+@@ -9104,7 +9104,7 @@
+   <para>
+     When connecting through a <link linkend="tunnel">$tunnel</link>
+     and <link linkend="tunnel-is-secure">$tunnel_is_secure</link> is
+-    set (the default), Mutt will assume the connection to the server
+    set (Not the default!), Mutt will assume the connection to the server
+     through the pipe is already secured.  Mutt will ignore <link
+     linkend="ssl-starttls">$ssl_starttls</link> and <link
+     linkend="ssl-force-tls">$ssl_force_tls</link>, behaving as if TLS
+diff -ur mutt-2.0.2/init.h mutt_patch/init.h
+--- mutt-2.0.2/init.h	2020-11-20 02:28:59.000000000 +0100
+++ mutt_patch/init.h	2021-01-27 20:20:09.696052996 +0100
+@@ -4021,7 +4021,7 @@
+   ** The file containing a client certificate and its associated private
+   ** key.
+   */
+-  { "ssl_force_tls",		DT_BOOL, R_NONE, {.l=OPTSSLFORCETLS}, {.l=1} },
+  { "ssl_force_tls",		DT_BOOL, R_NONE, {.l=OPTSSLFORCETLS}, {.l=0} },
+   /*
+   ** .pp
+   ** If this variable is \fIset\fP, Mutt will require that all connections
--- a/SPECS/mutt.spec
+++ b/SPECS/mutt.spec
@ -19,12 +19,13 @@

 Summary: A text mode mail user agent
 Name: mutt
-Version: 2.2.6
-Release: 1%{?dist}
+Version: 2.0.7
+Release: 2%{?dist}
 Epoch: 5
 # The entire source code is GPLv2+ except
 # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
 License: GPLv2+ and Public Domain
+Group: Applications/Internet
 # hg snapshot created from http://dev.mutt.org/hg/mutt
 Source: ftp://ftp.mutt.org/pub/%{name}/%{name}-%{version}.tar.gz
 Source1: mutt_ldap_query
@ -37,12 +38,19 @@ Patch8: mutt-1.5.23-system_certs.patch
 Patch9: mutt-1.9.0-ssl_ciphers.patch
 Patch10: mutt-1.9.4-lynx_no_backscapes.patch
 Patch12: mutt-1.9.5-nodotlock.patch
-Patch13: mutt-1.12.1-optusegpgagent.patch
+# Fixs compatibility with previous versions
+Patch13: mutt_disable_ssl_enforce.patch
+Patch14: mutt-2.0.7-cve-2022-1328.patch
+
+# Coverity patches
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/mutt-1.9.3-1.el8+7/scan-results-imp.html
+Patch111: mutt-1.10.1-mutt-1.9.3-1_coverity_166.patch
+Patch112: mutt-1.10.1-mutt-1.9.3-1_coverity_181.patch
+Patch113: mutt-1.10.1-mutt-1.9.3-1_coverity_187_188_189_190.patch

 Url: http://www.mutt.org
 Requires: mailcap, urlview
-BuildRequires: make
-BuildRequires: gcc
+BuildRequires:  gcc, make
 BuildRequires: ncurses-devel, gettext, automake
 # manual generation
 BuildRequires: /usr/bin/xsltproc, docbook-style-xsl, perl-interpreter
@ -93,7 +101,12 @@ autoreconf --install
 %patch3 -p1 -b .syncdebug
 %patch8 -p1 -b .system_certs
 %patch9 -p1 -b .ssl_ciphers
-%patch13 -p1 -b .optusegpgagent
+%patch13 -p1
+%patch14 -p1 -b .cve-2022-1328
+
+%patch111 -p1 -b .mutt-1.9.3-1_coverity_166
+%patch112 -p1 -b .mutt-1.9.3-1_coverity_181
+%patch113 -p1 -b .mutt-1.9.3-1_coverity_187_188_189_190.patch

 sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure

@ -145,6 +158,7 @@ rm -f mutt_ssl.c
    %{?with_sidebar: --enable-sidebar} \
    --with-docdir=%{_pkgdocdir}

+#make %{?_smp_mflags}
 %make_build

 # remove unique id in manual.html because multilib conflicts
@ -152,7 +166,7 @@ sed -i -r 's/<a id="id[a-z0-9]\+">/<a id="id">/g' doc/manual.html


 %install
-%make_install
+make install DESTDIR=%{buildroot}

 # we like GPG here
 cat contrib/gpg.rc >> \
@ -183,6 +197,7 @@ rm -f %{buildroot}%{_mandir}/man5/mmdf.5*
 rm -rf %{buildroot}%{_pkgdocdir}

 # remove /usr/share/info/dir
+# prevents adding dir file without installed info utility
 rm %{buildroot}%{_infodir}/dir

 # provide muttrc.local(5): the same as muttrc(5)
@ -212,125 +227,24 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5


 %changelog
-* Mon Jul 25 2022 Matej Mužila <mmuzila@redhat.com> - 5:2.2.6-1
- Rebase to upstream version 2.2.6
-  Resolves: CVE-2022-1328
-
-* Tue Jan 11 2022 Matej Mužila <mmuzila@redhat.com> - 5:2.1.5-1
- Rebase to upstream version 2.1.5
-  Resolves: rhbz#2032988 rhbz#1959896
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5:2.0.6-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5:2.0.6-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Mon Mar 22 2021 Filip Januš <fjanus@redhat.com> 5:2.0.6-1
- Rebase to upstream version 2.0.6
-
-* Mon Feb 1 2021 Filip Januš <fjanus@redhat.com> -5:2.0.5-1
- Rebase to upstream version 2.0.5
- Fix CVE-2021-3181
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5:2.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Dec 01 2020 Matej Mužila <mmuzila@redhat.com> - 5:2.0.2-1
- Upgrade to 2.0.2
- Resolves: #1895629, #1900827, CVE-2020-28896
-
-* Tue Sep 01 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.14.7-2
- Fix mutt-1.9.4-lynx_no_backscapes.patch
-
-* Mon Aug 31 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.14.7-1
- Upgrade to 1.14.7
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5:1.14.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 22 2020 Fabio Alessandro Locati <fale@fedoraproject.org> - 5:1.14.6-1
- Upgrade to 1.14.6
-
-* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 5:1.14.5-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Wed Jun 24 2020 Fabio Alessandro Locati <fale@fedoraproject.org> - 5:1.14.5-1
- Upgrade to 1.14.5
-
-* Fri Jun 19 2020 Fabio Alessandro Locati <fale@fedoraproject.org> - 5:1.14.4-1
- Upgrade to 1.14.4
- Resolves: #1848768
-
-* Mon Jun 15 2020 Fabio Alessandro Locati <fale@fedoraproject.org> - 5:1.14.3-1
- Upgrade to 1.14.3
- Resolves: #1836550
-
-* Tue May 26 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.14.2-1
- Upgrade to 1.14.2
- Resolves: #1836550
-
-* Sat May 09 2020 Fabio Alessandro Locati <fale@fedoraproject.org> - 5:1.14.0-1
- Upgrade to 1.14.0
- Resolves: #1818513
-
-* Tue Apr 07 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.13.5-1
- Upgrade to 1.13.5
- Resolves: #1818513
-
-* Mon Feb 17 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.13.4-1
- Upgrade to 1.13.4
- Resolves: #1803392
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5:1.13.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jan 15 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.13.3-1
- Upgrade to 1.13.3
- Resolves: #1783717, #1785500
-
-* Fri Jan 03 2020 Matej Mužila <mmuzila@redhat.com> - 5:1.13.2-1
- Upgrade to 1.13.2
- Resolves: #1783717
-
-* Mon Dec 02 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.13.0-1
- Upgrade to 1.13.0
- Resolves: #1754211
-
-* Tue Sep 24 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.12.2-1
- Upgrade to 1.12.2
- Resolves: #1754211
-
-* Thu Aug 29 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.12.1-3
- Make mutt to ask for GPG passphrase
- Resolves: #1731854
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5:1.12.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Wed Jul 17 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.12.1-1
- Upgrade to 1.12.1
- Resolves #1720848
-
-* Tue May 28 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.12.0-1
- Upgrade to 1.12.0
- Resolves #1710398,#1713910
+* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 5:2.0.7-2
+- Rebuilt for MSVSphere 8.8

-* Wed Apr 24 2019 Björn Esser <besser82@fedoraproject.org> - 5:1.11.4-2
- Remove hardcoded gzip suffix from GNU info pages
+* Thu Jul 21 2022 Matej Mužila <mmuzila@redhat.com> - 5:2.0.7-2
+- Fix CVE-2022-1328 (#2109247)

-* Wed Feb 06 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.11.4-1
- Upgrade to 1.11.4
- Resolves #1688091
+* Wed May 5 2021 Filip Januš <fjanus@redhat.com> - 5:2.0.7-1
+- Upgrade to v2.0.7
+- New bug fix release
+- Resolves: #1912614

-* Wed Feb 06 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.11.3-1
- Upgrade to 1.11.3
- Resolves #1659217
+* Thu Apr 8 2021 Filip Januš <fjanus@redhat.com> - 5:2.0.6-1
+- Upgrade to v2.0.6
+- Resolves: #1912614

-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5:1.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+* Thu Jun 13 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.10.1-2
+- Fix Coverity issues
+- Resolves: #1602622

 * Tue Jul 17 2018 Matej Mužila <mmuzila@redhat.com> - 5:1.10.1-1
 - Upgrade to 1.10.1