On Sat, Apr 18, 2026 at 09:27:59PM +0800, Kevin J. McCarthy wrote:
On Sat, Apr 18, 2026 at 02:14:53PM +0200, evilrabbit via Mutt-dev wrote:Please find below a number of confirmed security findings in the mutt client. None of these are significant but should probably be addressed.Thanks, I will start taking a look at these tomorrow.
Just as a note to the other devs. I started looking at some of these tonight. I've pushed up to gitlab some (very quickly made) branches: kevin/stable-security-01 Fix NULL dereference in show_sig_summary(). kevin/stable-security-02 Fix infinite loop in gpgme data_object_to_stream(). kevin/stable-security-05 Fix IMAP auth_crm MD5 digest of secret to use memcpy(). kevin/stable-security-06 Fix imap_auth_gss() security_level size. kevin/stable-security-07 Check for embedded nul in url_pct_decode(). kevin/stable-security-08 Abort if there are DNS entries but don't match. These still need to be cleaned up, verified, and tested.For #8 I need to check the RFC myself, so if anyone with OpenSSL code experience wants to confirm that would be welcome.
For #3, I'm not sure if we really need to fix this.For #4, I welcome input from others about this. Randomizers are not my thing. If the algorithm is insufficient for what we are using it for, then I welcome help in implementing something better.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
