Version in base suite: 2.2.13-1

Base version: mutt_2.2.13-1
Target version: mutt_2.2.13-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mutt/mutt_2.2.13-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mutt/mutt_2.2.13-1+deb13u1.dsc

 changelog                                   |    7 ++++
 patches/CVE-2026-43859_CVE-2026-43860.patch |   16 ++++++++++
 patches/CVE-2026-43861.patch                |   18 ++++++++++++
 patches/CVE-2026-43862.patch                |   41 ++++++++++++++++++++++++++++
 patches/CVE-2026-43863.patch                |   16 ++++++++++
 patches/CVE-2026-43864.patch                |   16 ++++++++++
 patches/series                              |    5 +++
 7 files changed, 119 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpib48zysh/mutt_2.2.13-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpib48zysh/mutt_2.2.13-1+deb13u1.dsc: no acceptable signature found
diff -Nru mutt-2.2.13/debian/changelog mutt-2.2.13/debian/changelog
--- mutt-2.2.13/debian/changelog	2024-07-27 09:23:32.000000000 +0000
+++ mutt-2.2.13/debian/changelog	2026-06-11 21:05:00.000000000 +0000
@@ -1,3 +1,10 @@
+mutt (2.2.13-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862
+    CVE-2026-43863 CVE-2026-43864 (Closes: #1135699)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 11 Jun 2026 23:05:00 +0200
+
 mutt (2.2.13-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch	1970-01-01 00:00:00.000000000 +0000
+++ mutt-2.2.13/debian/patches/CVE-2026-43859_CVE-2026-43860.patch	2026-06-11 13:11:33.000000000 +0000
@@ -0,0 +1,16 @@
+From 834c5a2ed0479e51e8662a31caed129f136f4805 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <kevin@8t8.us>
+Date: Sat, 18 Apr 2026 22:08:19 +0800
+Subject: [PATCH] Fix IMAP auth_cram MD5 digest of secret to use memcpy().
+
+--- mutt-2.2.13.orig/imap/auth_cram.c
++++ mutt-2.2.13/imap/auth_cram.c
+@@ -149,7 +149,7 @@ static void hmac_md5 (const char* passwo
+   if (secret_len > MD5_BLOCK_LEN)
+   {
+     md5_buffer (password, secret_len, hash_passwd);
+-    strfcpy ((char*) secret, (char*) hash_passwd, MD5_DIGEST_LEN);
++    memcpy(secret, hash_passwd, MD5_DIGEST_LEN);
+     secret_len = MD5_DIGEST_LEN;
+   }
+   else
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43861.patch mutt-2.2.13/debian/patches/CVE-2026-43861.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43861.patch	1970-01-01 00:00:00.000000000 +0000
+++ mutt-2.2.13/debian/patches/CVE-2026-43861.patch	2026-06-11 13:12:11.000000000 +0000
@@ -0,0 +1,18 @@
+From 12f54fe3b61f761c096fe95e95d5e3072af00ed2 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <kevin@8t8.us>
+Date: Sat, 18 Apr 2026 22:40:46 +0800
+Subject: [PATCH] Check for embedded nul in url_pct_decode().
+
+--- mutt-2.2.13.orig/url.c
++++ mutt-2.2.13/url.c
+@@ -60,7 +60,9 @@ static int url_pct_decode (char *s)
+       if (s[1] && s[2] &&
+ 	  isxdigit ((unsigned char) s[1]) &&
+ 	  isxdigit ((unsigned char) s[2]) &&
+-	  hexval (s[1]) >= 0 && hexval (s[2]) >= 0)
++          hexval(s[1]) >= 0 && hexval(s[2]) >= 0 &&
++          // check for embedded nul
++          (hexval(s[1]) > 0 || hexval(s[2]) > 0))
+       {
+ 	*d++ = (hexval (s[1]) << 4) | (hexval (s[2]));
+ 	s += 2;
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43862.patch mutt-2.2.13/debian/patches/CVE-2026-43862.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43862.patch	1970-01-01 00:00:00.000000000 +0000
+++ mutt-2.2.13/debian/patches/CVE-2026-43862.patch	2026-06-11 13:12:42.000000000 +0000
@@ -0,0 +1,41 @@
+From f547a849cdacb512800a5f477c27de217e1c8151 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <kevin@8t8.us>
+Date: Sat, 18 Apr 2026 22:36:37 +0800
+Subject: [PATCH] Fix imap_auth_gss() security level size check and buf_size
+ type.
+
+--- mutt-2.2.13.orig/imap/auth_gss.c
++++ mutt-2.2.13/imap/auth_gss.c
+@@ -108,7 +108,7 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+   int cflags;
+   OM_uint32 maj_stat, min_stat;
+   BUFFER *buf1 = NULL, *buf2 = NULL;
+-  unsigned long buf_size;
++  uint32_t buf_size;
+   int rc, retval = IMAP_AUTH_FAILURE;
+ 
+   if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
+@@ -259,6 +259,14 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+   }
+   dprint (2, (debugfile, "Credential exchange complete\n"));
+ 
++  if (send_token.length < 4)
++  {
++    /* TODO: convert to muttdbg() in master branch merge */
++    dprint(2, (debugfile, "Truncated security level data\n"));
++    gss_release_buffer(&min_stat, &send_token);
++    goto err_abort_cmd;
++  }
++
+   /* first octet is security levels supported. We want NONE */
+ #ifdef DEBUG
+   server_conf_flags = ((char*) send_token.value)[0];
+@@ -272,7 +280,7 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA
+ 
+   /* we don't care about buffer size if we don't wrap content. But here it is */
+   ((char*) send_token.value)[0] = 0;
+-  buf_size = ntohl (*((long *) send_token.value));
++  buf_size = ntohl(*((uint32_t *) send_token.value));
+   gss_release_buffer (&min_stat, &send_token);
+   dprint (2, (debugfile, "Unwrapped security level flags: %c%c%c\n",
+               server_conf_flags & GSS_AUTH_P_NONE      ? 'N' : '-',
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43863.patch mutt-2.2.13/debian/patches/CVE-2026-43863.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43863.patch	1970-01-01 00:00:00.000000000 +0000
+++ mutt-2.2.13/debian/patches/CVE-2026-43863.patch	2026-06-11 13:14:23.000000000 +0000
@@ -0,0 +1,16 @@
+From fdc04a171777327218a1e78db504926c388b48c4 Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <kevin@8t8.us>
+Date: Sat, 18 Apr 2026 21:54:34 +0800
+Subject: [PATCH] Fix infinite loop in gpgme data_object_to_stream().
+
+--- mutt-2.2.13.orig/crypt-gpgme.c
++++ mutt-2.2.13/crypt-gpgme.c
+@@ -742,7 +742,7 @@ static int data_object_to_stream (gpgme_
+       return -1;
+     }
+ 
+-  while ((nread = gpgme_data_read (data, buf, sizeof (buf))))
++  while ((nread = gpgme_data_read(data, buf, sizeof (buf))) > 0)
+     {
+       /* fixme: we are not really converting CRLF to LF but just
+          skipping CR. Doing it correctly needs a more complex logic */
diff -Nru mutt-2.2.13/debian/patches/CVE-2026-43864.patch mutt-2.2.13/debian/patches/CVE-2026-43864.patch
--- mutt-2.2.13/debian/patches/CVE-2026-43864.patch	1970-01-01 00:00:00.000000000 +0000
+++ mutt-2.2.13/debian/patches/CVE-2026-43864.patch	2026-06-11 13:14:56.000000000 +0000
@@ -0,0 +1,16 @@
+From ebfa2969042d89303d15334193fcc32866c8a8df Mon Sep 17 00:00:00 2001
+From: "Kevin J. McCarthy" <kevin@8t8.us>
+Date: Sat, 18 Apr 2026 21:41:23 +0800
+Subject: [PATCH] Fix NULL dereference in show_sig_summary().
+
+--- mutt-2.2.13.orig/crypt-gpgme.c
++++ mutt-2.2.13/crypt-gpgme.c
+@@ -1425,7 +1425,7 @@ static int show_sig_summary (unsigned lo
+ 
+   if ((sum & GPGME_SIGSUM_KEY_EXPIRED))
+     {
+-      time_t at = key->subkeys->expires ? key->subkeys->expires : 0;
++      time_t at = (key && key->subkeys) ? key->subkeys->expires : 0;
+       if (at)
+         {
+           state_puts (_("Warning: The key used to create the "
diff -Nru mutt-2.2.13/debian/patches/series mutt-2.2.13/debian/patches/series
--- mutt-2.2.13/debian/patches/series	2024-07-27 09:23:32.000000000 +0000
+++ mutt-2.2.13/debian/patches/series	2026-06-11 13:14:44.000000000 +0000
@@ -11,3 +11,8 @@
 misc/gpg.rc-paths.patch
 misc/smime.rc.patch
 upstream/528233-readonly-open.patch
+CVE-2026-43859_CVE-2026-43860.patch
+CVE-2026-43861.patch
+CVE-2026-43862.patch
+CVE-2026-43863.patch
+CVE-2026-43864.patch