FreeBSD: VID-a2f35081-8a02-11e8-8fa5-4437e6ad11c4 (CVE-2018-14362): mutt -- remote code injection and path traversal vulnerability

Kevin J. McCarthy reports: Fixes a remote code injection vulnerability when "subscribing" to an IMAP mailbox, either via $imap_check_subscribed, or via the <subscribe> function in the browser menu. Mutt was generating a "mailboxes" command and sending that along to the muttrc parser. However, it was not escaping "`", which executes code and inserts the result. This would allow a malicious IMAP server to execute arbitrary code (for $imap_check_subscribed). Fixes POP body caching path traversal vulnerability. Fixes IMAP header caching path traversal vulnerability. CVE-2018-14349 - NO Response Heap Overflow CVE-2018-14350 - INTERNALDATE Stack Overflow CVE-2018-14351 - STATUS Literal Length relative write CVE-2018-14352 - imap_quote_string off-by-one stack overflow CVE-2018-14353 - imap_quote_string int underflow CVE-2018-14354 - imap_subscribe Remote Code Execution CVE-2018-14355 - STATUS mailbox header cache directory traversal CVE-2018-14356 - POP empty UID NULL deref CVE-2018-14357 - LSUB Remote Code Execution CVE-2018-14358 - RFC822.SIZE Stack Overflow CVE-2018-14359 - base64 decode Stack Overflow CVE-2018-14362 - POP Message Cache Directory Traversal