Mutt ≫ Mutt

mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.

mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.

In mutt before 2.3.2, the imap_auth_gss security level is mishandled.

mutt before 2.3.2 does not check for '\0' in url_pct_decode.

mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.

In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12