I discovered two out of bounds memory access issues in courier by checking it with address sanitizer. This is one of the cases where I'm not really sure if there's a security issue or not, but for safety I'd like to handle it as such. Here's the background on the found issues: https://blog.fuzzing-project.org/17-Courier-mail-server-Write-heap-overflow-in-mailbot-tool-and-out-of-bounds-heap-read-in-imap-folder-parser.html Archs, can you please stabilize courier 0.75.0 and dependencies? =net-libs/courier-unicode-1.3 =net-libs/courier-authlib-0.66.3 =mail-mta/courier-0.75.0 To the alpha, hppa, ia64 and sparc teams: Your keywords have been dropped when the courier-unicode dep was introduced (rekeywording request in #532520). I will drop the old courier versions, if you want to keep a keyworded version please rekeyword. But I'm also fine with not supporting exotic archs.
amd64 stable
x86 stable
Stable for HPPA.
alpha stable
ppc stable
sparc stable
ia64 stable
Arches, Thank you for your work. Security Please Vote First GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Hanoo, was CVE ever assigned. I could not find it (http://seclists.org/oss-sec/2015/q2/817)
As I already wrote it's highly unclear if this has any security impact at all, and I think CVEers decided not to assign one. Therefore I think no GLSA needed and we're done here.
(In reply to Hanno Boeck from comment #9) > Therefore I think no GLSA needed and we're done here. As per Hanno who found the vulnerability, no GLSA. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
Please clean up vulnerable packages: =mail-mta/courier-{0.71,0.74.0,0.74.1,0.74.1-r1}
Please clean.
Please clean or let us know why the old packages need to stay.
I removed all vulnerable versions now.
(In reply to Hanno Boeck from comment #15) > I removed all vulnerable versions now. Thanks, Hanno!
