From 1de5ca0c22587d19fababdecd6acedd2a9fc1249 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 31 2020 09:34:28 +0000
Subject: import mutt-1.5.21-29.el7


---

diff --git a/SOURCES/mutt-1.5.21-cve-2018-14355.patch b/SOURCES/mutt-1.5.21-cve-2018-14355.patch
new file mode 100644
index 0000000..ba705a0
--- /dev/null
+++ b/SOURCES/mutt-1.5.21-cve-2018-14355.patch
@@ -0,0 +1,39 @@
+From 31eef6c766f47df8281942d19f76e35f475c781d Mon Sep 17 00:00:00 2001
+From: Richard Russon <rich@flatcap.org>
+Date: Fri, 13 Jul 2018 11:33:16 -0700
+Subject: [PATCH] Selectively cache headers.
+
+Thanks to NeoMutt and Jeriko One for the patch, which was slightly
+modified to apply to the Mutt code.
+---
+ imap/util.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/imap/util.c b/imap/util.c
+index 27792944..d4cc2742 100644
+--- a/imap/util.c
++++ b/imap/util.c
+@@ -84,6 +84,7 @@ header_cache_t* imap_hcache_open (IMAP_DATA* idata, const char* path)
+   ciss_url_t url;
+   char cachepath[LONG_STRING];
+   char mbox[LONG_STRING];
++  size_t len;
+ 
+   if (path)
+     imap_cachepath (idata, path, mbox, sizeof (mbox));
+@@ -96,6 +97,12 @@ header_cache_t* imap_hcache_open (IMAP_DATA* idata, const char* path)
+     FREE (&mx.mbox);
+   }
+ 
++  if (strstr(mbox, "/../") || (strcmp(mbox, "..") == 0) || (strncmp(mbox, "../", 3) == 0))
++    return NULL;
++  len = strlen(mbox);
++  if ((len > 3) && (strcmp(mbox + len - 3, "/..") == 0))
++    return NULL;
++
+   mutt_account_tourl (&idata->conn->account, &url);
+   url.path = mbox;
+   url_ciss_tostring (&url, cachepath, sizeof (cachepath), U_PATH);
+-- 
+2.18.0
+
diff --git a/SPECS/mutt.spec b/SPECS/mutt.spec
index 955486e..01e0731 100644
--- a/SPECS/mutt.spec
+++ b/SPECS/mutt.spec
@@ -16,7 +16,7 @@
 Summary: A text mode mail user agent
 Name: mutt
 Version: 1.5.21
-Release: 28%{?dist}
+Release: 29%{?dist}
 Epoch: 5
 # The entire source code is GPLv2+ except
 # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@@ -46,6 +46,7 @@ Patch20: mutt-1.5.20-domainname.patch
 Patch21: mutt-1.5.20-system_certs.patch
 Patch22: mutt-1.5.21-cve-2018-14354_cve-2018-14357.patch
 Patch23: mutt-1.5.21-cve-2018-14362.patch
+Patch24: mutt-1.5.21-cve-2018-14355.patch
 
 
 Url: http://www.mutt.org/
@@ -105,6 +106,7 @@ for selecting groups of messages.
 %patch21 -p1 -b .system_certs
 %patch22 -p1 -b .cve-2018-14354_cve-2018-14357
 %patch23 -p1 -b .cve-2018-14362
+%patch24 -p1 -b .cve-2018-14355
 
 sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
 
@@ -191,6 +193,11 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
 %{_mandir}/man5/muttrc.*
 
 %changelog
+* Mon Aug 26 2019 Matej Muzila <mmuzila@redhat.com> - 5:1.5.21-29
+- Fix IMAP header caching path traversal vulnerability
+- Resolves: #1608011
+- Resolves: CVE-2018-14355
+
 * Thu Jul 26 2018 Matej Mužila <mmuzila@redhat.com> - 5:1.5.21-28
 - Resolves: CVE-2018-14354 CVE-2018-14357 CVE-2018-14362