CVE-2021-32055

Name
CVE-2021-32055
Description
Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
MISC http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html
MISC https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc
Third Party Advisory https://security.gentoo.org/glsa/202105-05

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:* mutt >= 1.11.0 < 2.0.7
cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:* neomutt >= 20191025 <= 20210504

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
neomutt edge-community 20211015-r0 None fixed
neomutt 3.22-community 20211015-r0 None fixed
neomutt 3.21-community 20211015-r0 None fixed
neomutt 3.20-community 20211015-r0 None fixed
neomutt 3.19-community 20211015-r0 None fixed
neomutt 3.18-community 20211015-r0 None fixed
neomutt 3.17-community 20211015-r0 None fixed
mutt edge-community 2.0.4-r1 None possibly vulnerable
mutt edge-community 2.0.2-r0 None possibly vulnerable
mutt edge-community 1.14.4-r0 None possibly vulnerable
mutt 3.22-community 2.0.4-r1 None possibly vulnerable
mutt 3.22-community 2.0.2-r0 None possibly vulnerable
mutt 3.22-community 1.14.4-r0 None possibly vulnerable