Secunia Research has discovered a vulnerability in Sylpheed and Sylpheed-Claws (Claws Mail), which potentially can be exploited by malicious people to compromise a vulnerable system. Vulnerability details: ---------------------- A format string error in the "inc_put_error()" function in src/inc.c when displaying a POP3 server's error reply can potentially be exploited to execute arbitrary code via specially crafted POP3 server replies containing format specifiers. The offending line of code looks like this in Sylpheed: alertpanel_error(err_msg); It looks like this in Claws Mail: alertpanel_error_log(err_msg); Successful exploitation potentially allows arbitrary code execution, but requires that the user is tricked into connecting to a malicious POP3 server. The vulnerability is confirmed in Sylpheed 2.4.4, Sylpheed-Claws 1.9.100, and Sylpheed-Claws (Claws Mail) 2.10.0. Other versions may also be affected.
CC'ing maintainer and setting whiteboard status. Forget to include PoC, Proof of Concept: ----------------- Here is a simple PoC: #!/bin/sh echo '-ERR %n%n%n%n' | nc -l -p 110
My bad, fixes are available upstream.
net-mail, please provide ebuilds including the fix.
sylpheed-2.4.5 was released by upstream.
claws-mail-3.0.0 and sylpheed-2.4.5 were in portage. *claws-mail-3.0.0 (03 Sep 2007) 03 Sep 2007; Andrej Kacian <ticho@gentoo.org> -claws-mail-3.0.0_rc1.ebuild, +claws-mail-3.0.0.ebuild: Version bump. *sylpheed-2.4.5 (03 Sep 2007) 03 Sep 2007; Akinori Hattori <hattya@gentoo.org> +sylpheed-2.4.5.ebuild: new upstream release.
Arches please test and mark stable. Target keywords are: claws-mail-3.0.0.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd" sylpheed-2.4.5.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ~ppc64 sparc x86"
Both stable for HPPA.
Here on x86 I still have a severe problem (crashing and deleting folder hierarchy), which is not fatal but very annoying. I am discussing it with upstream.
ppc stable
(In reply to comment #8) > Here on x86 I still have a severe problem (crashing and deleting folder > hierarchy), which is not fatal but very annoying. I am discussing it with > upstream. I have tested claws-mail and sylpheed with a simple IMAP account and seems to work fine. If someone (Christian, matsuu) thinks this is an obstacle to mark them stable, please drop a comment before tomorrow or I will mark both stable for sparc. Thanks.
(In reply to comment #10) > (In reply to comment #8) > > Here on x86 I still have a severe problem (crashing and deleting folder > > hierarchy), which is not fatal but very annoying. I am discussing it with > > upstream. > I have tested claws-mail and sylpheed with a simple IMAP account and seems to > work fine. > If someone (Christian, matsuu) thinks this is an obstacle to mark them stable, > please drop a comment before tomorrow or I will mark both stable for sparc. The problem is not reproducable by upstream and when trying to debug (by special start options) it just vanishes....so I think it is to obscure to hold up stabilisation.
Any idea why didn't anyone CC claws-mail maintainers?
sparc stable. (In reply to comment #12) > Any idea why didn't anyone CC claws-mail maintainers? > Speaking for myself, sorry, I usually don't check this in security bugs since usually the maintainer was the one who bumped the package to fix the bug (not in this case). I'll give it a look in the future, but IMHO, is more a question for our security ninjas.
ppc64 stable
@ticho: sorry, my bad. I thought you were part of the herd alias.
alpha/ia64 stable
x86 stable
By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need to go stable as well, because currently stable versions do not compile against 3.0.0, due to API change in this version. Here's the list: mail-client/claws-mail-acpi-notifier-1.0.12 mail-client/claws-mail-attachwarner-0.2.8 mail-client/claws-mail-att-remover-1.0.7 mail-client/claws-mail-cachesaver-0.10.6 mail-client/claws-mail-fetchinfo-0.4.20 mail-client/claws-mail-gtkhtml-0.15.2 mail-client/claws-mail-mailmbox-1.14 mail-client/claws-mail-newmail-0.0.11 mail-client/claws-mail-notification-0.12 mail-client/claws-mail-pdf-viewer-0.6 mail-client/claws-mail-perl-0.9.10 mail-client/claws-mail-rssyl-0.15 mail-client/claws-mail-smime-0.7.2 mail-client/claws-mail-vcalendar-1.96 Not all arches have all (or any) plugins stable, so it's up to the arch teams.
mail-client/claws-mail-att-remover-1.0.7 ppc64 mail-client/claws-mail-cachesaver-0.10.6 ppc64 sparc mail-client/claws-mail-fetchinfo-0.4.20 ppc64 mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64 mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc mail-client/claws-mail-pdf-viewer-0.6 ppc64 mail-client/claws-mail-perl-0.9.10 amd64 ppc64 mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64 mail-client/claws-mail-vcalendar-1.96 ppc64 sparc x86 is done in the next couple of minutes
thanks Christian. plugins stable on ppc64.
(In reply to comment #18) > By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need > to go stable as well, because currently stable versions do not compile against > 3.0.0, due to API change in this version. > > mail-client/claws-mail-vcalendar-1.96 > @Ticho: I found a dependency error (>=curl-7.9.7) with vcalendar-1.96. I think we can handle it here and don't open a new bug for just this error: -- 8< --- checking for curl >= 7.9.7... FAILED configure: WARNING: curl-config was not found --------- Could you fix the error, please? Thanks.
Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the correct version is 1.97 (which has no new features, only some bugfixes). Big sorry, everyone! The curl dependency has been fixed in both of them. Readding ppc64 - I wonder why they didn't actually _test_ the plugin before stabilizing... Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that works with 3.0.0.
(In reply to comment #22) > Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the > correct version is 1.97 (which has no new features, only some bugfixes). Big > sorry, everyone! Nah! don't worry, shits happens. > > The curl dependency has been fixed in both of them. > Great. > Readding ppc64 - I wonder why they didn't actually _test_ the plugin before > stabilizing... > Indeed, the module throws you an error while loading. Anyway, each arch team has its own way to test things. > Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that > works with 3.0.0. > I've keyworded all the missing sparc modules, thanks opfer for the list.
(In reply to comment #22) > Readding ppc64 - I wonder why they didn't actually _test_ the plugin before > stabilizing... Don't forget x86, done now. I actually tested 1.97 (by ACCEPT_KEYWORDS=~x86) and stabled .96 from your list...shit happens. :)
sorry, my fault. claws-mail-vcalendar-1.97 stable on ppc64 now.
amd64 stable
(In reply to comment #19) > mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64 > mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc > mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64 ppc stable
That's the last one. GLSA, anyone?
(In reply to comment #29) > That's the last one. GLSA, anyone? > yeah, it's 200710-29!