Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 805338 - <mail-client/sylpheed-3.7.0-r5: Insufficient link validation (CVE-2021-37746)
Summary: <mail-client/sylpheed-3.7.0-r5: Insufficient link validation (CVE-2021-37746)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords: PMASKED
Depends on: 861776
Blocks: CVE-2021-37746
  Show dependency tree
 
Reported: 2021-07-31 05:56 UTC by Sam James
Modified: 2023-06-12 04:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 05:56:27 UTC
"textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click."
Comment 1 Hanno Böck gentoo-dev 2022-06-10 15:00:54 UTC
FWIW you can pick the patch from Fedora, they ported the claws patch to sylpheed (which has afaik no active upstream):
https://src.fedoraproject.org/rpms/sylpheed/blob/rawhide/f/sylpheed-3.7.0-uri-check.patch
Comment 2 Larry the Git Cow gentoo-dev 2022-06-12 13:34:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdd19788e941b123628f724764bac32d12a728c

commit cbdd19788e941b123628f724764bac32d12a728c
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2022-06-12 13:33:08 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2022-06-12 13:33:08 +0000

    mail-client/sylpheed: fix CVE-2021-37746
    
    Bug: https://bugs.gentoo.org/805338
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 .../sylpheed/files/sylpheed-CVE-2021-37746.patch   | 39 ++++++++++++
 mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild      | 69 ++++++++++++++++++++++
 2 files changed, 108 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-12 13:37:54 UTC
Thanks! Please stable when ready
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-15 17:29:17 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-08-17 12:29:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98d478b5e4a74b802f876ee4160c4b11c0fd0c0

commit d98d478b5e4a74b802f876ee4160c4b11c0fd0c0
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2022-08-17 12:28:32 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2022-08-17 12:28:32 +0000

    mail-client/sylpheed: drop old
    
    Bug: https://bugs.gentoo.org/805338
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 mail-client/sylpheed/sylpheed-3.7.0-r4.ebuild | 66 ---------------------------
 1 file changed, 66 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2023-06-03 05:24:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0fca6e9ac605eecb019c47cdc23f38cbcae8474

commit b0fca6e9ac605eecb019c47cdc23f38cbcae8474
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-06-01 18:46:19 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-06-03 05:23:35 +0000

    mail-client/sylpheed: treeclean
    
    Closes: https://bugs.gentoo.org/769293
    Closes: https://bugs.gentoo.org/664070
    Bug: https://bugs.gentoo.org/805338
    Bug: https://bugs.gentoo.org/807358
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 mail-client/sylpheed/Manifest                      |  1 -
 .../sylpheed/files/sylpheed-CVE-2021-37746.patch   | 39 ------------
 mail-client/sylpheed/files/sylpheed-tls-1.3.patch  | 17 ------
 mail-client/sylpheed/metadata.xml                  | 11 ----
 mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild      | 69 ----------------------
 profiles/package.mask                              |  6 --
 6 files changed, 143 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-12 04:22:48 UTC
Package is gone, low impact anyway. No GLSA, all done!