Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308051 - <dev-libs/gmime-{2.2.26,2.4.15}: buffer overflow (CVE-2010-0409)
Summary: <dev-libs/gmime-{2.2.26,2.4.15}: buffer overflow (CVE-2010-0409)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://ftp.gnome.org/pub/GNOME/source...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 324157
Blocks:
  Show dependency tree
 
Reported: 2010-03-06 15:39 UTC by Stefan Behte (RETIRED)
Modified: 2014-01-21 19:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:39:33 UTC
CVE-2010-0409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0409):
  Buffer overflow in the GMIME_UUENCODE_LEN macro in
  gmime/gmime-encodings.h in GMime before 2.4.15 allows
  context-dependent attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via input data for a
  uuencode operation.
Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-03-07 15:04:26 UTC
2.4.14 was never added to the tree.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-07 15:21:43 UTC
We have got 2.2.x and 2.4.9 in tree, I checked the code of 2.4.9 and it seems to need the patch.

Patch for 2.4.x here:
http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz

2.2.x has the issue, too, but it's a different file:

gmime/gmime-utils.h:#define GMIME_UUENCODE_LEN(x)      ((size_t) (((((x) + 2) / 45) * 62) + 62))

gnome, can we stable 2.4.15 and drop 2.2.x?
Comment 3 Pacho Ramos gentoo-dev 2010-03-26 15:59:38 UTC
(In reply to comment #2)
> gnome, can we stable 2.4.15 and drop 2.2.x?
> 

It cannot be dropped yet since some apps still require it in the tree. I will try to get it backported: https://bugzilla.gnome.org/show_bug.cgi?id=614025
Comment 4 Pacho Ramos gentoo-dev 2010-03-26 16:04:00 UTC
This security problem is solved then with the following versions:
dev-libs/gmime-2.2.26
dev-libs/gmime-2.4.15
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-17 19:21:22 UTC
The package is being stabilized in bug 324157. ppc64 is still missing.
Comment 6 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-09-19 16:47:40 UTC
ppc64 now has 2.4.17 and 2.2.26 stable. Please proceed.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:09:48 UTC
Thanks, everyone. GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:28:13 UTC
This issue was resolved and addressed in
 GLSA 201401-19 at http://security.gentoo.org/glsa/glsa-201401-19.xml
by GLSA coordinator Sean Amoss (ackle).