84056 2005-03-04 01:03 0000 mail-client/{sylpheed|sylpheed-claws} buffer overflow 2005-03-21 06:22:03 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://sylpheed.good-day.net/ B2 [glsa] jaervosz P2 normal --- 1 fbusse@gmx.de security@gentoo.org genone@gentoo.org hattya@gentoo.org net-mail@gentoo.org plate@gentoo.org fbusse@gmx.de 2005-03-04 01:03:36 0000 Hello, The new version fixes at least one critical buffer overflow, which has been fixed in 1.0.3 and the svn-branch for the development-version. Here's the annoucement: From: Hiroyuki Yamamoto <hiro-y@kcn.ne.jp> Hello, Since a buffer overflow bug was found, I've made an urgent release of 1.0.3. This problem exists in almost all of the older version, so be sure to upgrade. In the development version, it is fixed on the svn trunk. Changes: * A buffer overflow which occurred when replying to a message with certain headers which contain non-ascii characters was fixed. * A memory leak of the composition window was fixed. jaervosz@gentoo.org 2005-03-04 01:23:54 0000 Akinori please bump. koon@gentoo.org 2005-03-06 02:11:14 0000 hattya / net-mail: please bump to 1.0.3 fbusse@gmx.de 2005-03-07 01:45:23 0000 Development version 1.9.5 with the same fix has been released. fbusse@gmx.de 2005-03-07 11:36:44 0000 The new version in portage (1.9.5) works fine for me, but please also include the references-patch from 1.9.2 (works without change for 1.9.5 as well). rockoo@gmail.com 2005-03-08 05:36:03 0000 *** Bug 84379 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2005-03-09 12:53:44 0000 *sylpheed-1.0.3 (07 Mar 2005) 07 Mar 2005; Akinori Hattori <hattya@gentoo.org> +sylpheed-1.0.3.ebuild: new upstream release. fixes bug #84056 and #84379. Thx for noting Langthan. Akinori Hattori please comment on the bug next time. Arches please test and mark stable. hansmi@gentoo.org 2005-03-09 13:11:40 0000 Stable on ppc. hansmi@gentoo.org 2005-03-09 13:14:28 0000 Oopps. Reopen. kugelfang@gentoo.org 2005-03-09 16:29:08 0000 Stable on amd64. corsair@gentoo.org 2005-03-09 22:32:20 0000 stable on ppc64 tigger@gentoo.org 2005-03-10 03:28:09 0000 a quick look at compose.c in sylpheed-claws suggests its vulnerable to the compose overflow. tigger@gentoo.org 2005-03-10 03:33:27 0000 I used this patch as a reference: http://sylpheed.good-day.net/sylpheed/v1.0/sylpheed-1.0.2-1.0.3.patch.gz And checked the source after: rob@leet ~ $ sudo ebuild /usr/portage/mail-client/sylpheed-claws/sylpheed-claws-1.0.1.1.ebuild unpack This version is vulnerable to the overflow which the above patch correct in sylpheed. I haven't checked other versions, but I assume they also contain the flaw. jaervosz@gentoo.org 2005-03-10 03:36:33 0000 Adding genone to advise on sylpheed-claws. gustavoz@gentoo.org 2005-03-10 05:49:20 0000 sparc stable. genone@gentoo.org 2005-03-10 11:28:40 0000 -claws is also affected, 1.0.3 has the patch and just got into cvs as ~arch as I still have to test it a little bit more and also check the plugins. genone@gentoo.org 2005-03-12 06:56:34 0000 sylpheed-claws-1.0.3 marked stable on x86 and amd64, still needs ppc, sparc and alpha love. hansmi@gentoo.org 2005-03-12 08:03:58 0000 Stable on ppc. weeve@gentoo.org 2005-03-12 11:35:39 0000 Stable on SPARC. gmsoft@gentoo.org 2005-03-14 00:57:02 0000 Stable on hppa \o/ koon@gentoo.org 2005-03-14 01:30:36 0000 sylpheed-1.0.3 still needs x86 and alpha stable (ia64 should also mark stable) sylpheed-claws-1.0.3 still needs alpha stable kloeri@gentoo.org 2005-03-17 13:20:46 0000 Alpha stable. jaervosz@gentoo.org 2005-03-18 13:50:36 0000 Hattya, please mark Sylpeed stable on x86. lewk@gentoo.org 2005-03-20 14:40:43 0000 19 Mar 2005; Akinori Hattori <hattya@gentoo.org> sylpheed-1.0.3.ebuild: stable on x86. fixes bug #84056. Thanks hattya, but please update the bug next time. Ready for GLSA. lewk@gentoo.org 2005-03-20 15:53:13 0000 GLSA 200503-26. ia64, please mark stable to benefit from GLSA. hattya@gentoo.org 2005-03-21 06:22:03 0000 Stable on ia64.