Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506668 - <mail-client/sylpheed-3.4.2: Unspecified Buffer Overflow Vulnerabilities
Summary: <mail-client/sylpheed-3.4.2: Unspecified Buffer Overflow Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57584/
Whiteboard: B3 [noglsa]
Keywords:
: 502822 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-04-03 15:11 UTC by Agostino Sarubbo
Modified: 2016-12-02 10:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-03 15:11:34 UTC 
From ${URL} :

Description

Some vulnerabilities with an unknown impact have been reported in Sylpheed.

The vulnerabilities are caused due to some unspecified errors, which can be exploited to cause buffer overflows. No further information is currently available.

The vulnerabilities are reported in versions prior to 3.3.1.


Solution:
Update to version 3.3.1 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.sraoss.jp/pipermail/sylpheed/2014-March/005979.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Akinori Hattori gentoo-dev 2014-06-08 09:01:20 UTC 
*** Bug 502822 has been marked as a duplicate of this bug. ***
Comment 2 Akinori Hattori gentoo-dev 2014-06-08 09:03:05 UTC 
=mail-client/sylpheed-3.4.1 is ready to stabilize
Comment 3 Akinori Hattori gentoo-dev 2015-07-11 13:15:00 UTC 
arches, please stablize:

=mail-client/sylpheed-3.4.2
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-12 09:00:26 UTC 
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-14 10:36:47 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-14 10:37:32 UTC 
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 15:07:45 UTC 
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:00 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-23 09:36:16 UTC 
sparc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-31 10:29:58 UTC 
ia64 stable
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 14:26:44 UTC 
Maintainer(s), Thank you for you for cleanup.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Akinori Hattori gentoo-dev 2015-08-22 06:35:14 UTC 
dropped <mail-client/sylpheed-3.4.2
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-09-28 02:09:08 UTC 
In communication with upstream:

I have released a security update for libraries included in the Windows
binary package, but there is no CVE for Sylpheed 3.4.x itself.

-- 
Hiroyuki Yamamoto <yamamoto@sraoss.co.jp>
SRA OSS, Inc. Japan
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 09:18:44 UTC 
(In reply to Yury German from comment #13)
> In communication with upstream:
> 
> I have released a security update for libraries included in the Windows
> binary package, but there is no CVE for Sylpheed 3.4.x itself.
> 
> -- 
> Hiroyuki Yamamoto <yamamoto@sraoss.co.jp>
> SRA OSS, Inc. Japan

So the vulnerability has been mitigated in the tree with the removal of < 3.4.2.  Why wait on a CVE from something released in 2014?
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-12-02 10:31:49 UTC 
No PoC for buffer overflow or ACE/RCE.  Code was audited via static analysis and never followed up with.  Redesignating.

GLSA Vote: No