First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 84056
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: fbusse@gmx.de
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 84056 depends on: Show dependency tree
Bug 84056 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-04 01:03 0000 
Hello,
The new version fixes at least one critical buffer overflow, which has been fixed in 1.0.3 and the svn-branch for the development-version. Here's the annoucement:

From: Hiroyuki Yamamoto <hiro-y@kcn.ne.jp>

Hello,

Since a buffer overflow bug was found, I've made an urgent release of
1.0.3. This problem exists in almost all of the older version, so be
sure to upgrade. In the development version, it is fixed on the svn
trunk.

Changes:

 * A buffer overflow which occurred when replying to a message with
   certain headers which contain non-ascii characters was fixed.
 * A memory leak of the composition window was fixed.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-03-04 01:23:54 0000 ------- 
Akinori please bump.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-03-06 02:11:14 0000 ------- 
hattya / net-mail: please bump to 1.0.3

------- Comment #3 From fbusse@gmx.de 2005-03-07 01:45:23 0000 ------- 
Development version 1.9.5 with the same fix has been released.

------- Comment #4 From fbusse@gmx.de 2005-03-07 11:36:44 0000 ------- 
The new version in portage (1.9.5) works fine for me, but please also include
the references-patch from 1.9.2 (works without change for 1.9.5 as well).

------- Comment #5 From Daniel Webert 2005-03-08 05:36:03 0000 ------- 
*** Bug 84379 has been marked as a duplicate of this bug. ***

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-03-09 12:53:44 0000 ------- 
*sylpheed-1.0.3 (07 Mar 2005)

  07 Mar 2005; Akinori Hattori <hattya@gentoo.org> +sylpheed-1.0.3.ebuild:
  new upstream release. fixes bug #84056 and #84379.

Thx for noting Langthan.

Akinori Hattori please comment on the bug next time.

Arches please test and mark stable.

------- Comment #7 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-09 13:11:40 0000 ------- 
Stable on ppc.

------- Comment #8 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-09 13:14:28 0000 ------- 
Oopps. Reopen.

------- Comment #9 From Danny van Dyk (RETIRED) 2005-03-09 16:29:08 0000 ------- 
Stable on amd64.

------- Comment #10 From Markus Rothe 2005-03-09 22:32:20 0000 ------- 
stable on ppc64

------- Comment #11 From rob holland (RETIRED) 2005-03-10 03:28:09 0000 ------- 
a quick look at compose.c in sylpheed-claws suggests its vulnerable to the
compose overflow.

------- Comment #12 From rob holland (RETIRED) 2005-03-10 03:33:27 0000 ------- 
I used this patch as a reference:

http://sylpheed.good-day.net/sylpheed/v1.0/sylpheed-1.0.2-1.0.3.patch.gz

And checked the source after:

rob@leet ~ $ sudo ebuild /usr/portage/mail-client/sylpheed-claws/sylpheed-claws-1.0.1.1.ebuild unpack

This version is vulnerable to the overflow which the above patch correct in sylpheed.

I haven't checked other versions, but I assume they also contain the flaw.

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-03-10 03:36:33 0000 ------- 
Adding genone to advise on sylpheed-claws.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2005-03-10 05:49:20 0000 ------- 
sparc stable.

------- Comment #15 From Marius Mauch (RETIRED) 2005-03-10 11:28:40 0000 ------- 
-claws is also affected, 1.0.3 has the patch and just got into cvs as ~arch as
I still have to test it a little bit more and also check the plugins.

------- Comment #16 From Marius Mauch (RETIRED) 2005-03-12 06:56:34 0000 ------- 
sylpheed-claws-1.0.3 marked stable on x86 and amd64, still needs ppc, sparc and
alpha love.

------- Comment #17 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-12 08:03:58 0000 ------- 
Stable on ppc.

------- Comment #18 From Jason Wever (RETIRED) 2005-03-12 11:35:39 0000 ------- 
Stable on SPARC.

------- Comment #19 From Guy Martin 2005-03-14 00:57:02 0000 ------- 
Stable on hppa \o/

------- Comment #20 From Thierry Carrez (RETIRED) 2005-03-14 01:30:36 0000 ------- 
sylpheed-1.0.3 still needs x86 and alpha stable (ia64 should also mark stable)
sylpheed-claws-1.0.3 still needs alpha stable

------- Comment #21 From Bryan Østergaard (RETIRED) 2005-03-17 13:20:46 0000 ------- 
Alpha stable.

------- Comment #22 From Sune Kloppenborg Jeppesen 2005-03-18 13:50:36 0000 ------- 
Hattya, please mark Sylpeed stable on x86.

------- Comment #23 From Luke Macken (RETIRED) 2005-03-20 14:40:43 0000 ------- 
  19 Mar 2005; Akinori Hattori <hattya@gentoo.org> sylpheed-1.0.3.ebuild:
  stable on x86. fixes bug #84056.

Thanks hattya, but please update the bug next time.  Ready for GLSA.

------- Comment #24 From Luke Macken (RETIRED) 2005-03-20 15:53:13 0000 ------- 
GLSA 200503-26.

ia64, please mark stable to benefit from GLSA.

------- Comment #25 From Akinori Hattori 2005-03-21 06:22:03 0000 ------- 
Stable on ia64.
First Last Prev Next    No search results available      Search page      Enter new bug