Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 111853

Summary: mail-client/sylpheed[-claws]: LDIF importer buffer overflow (CVE-2005-3354)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: geneseto, genone, hattya, lzap, rockoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2? [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-11-08 02:12:14 UTC
Colin Leroy has found three buffer overflows in Sylpheed and Sylpheed-Claws.
They are locally exploitable and could allow execution of code as the
current user.

One of them is in the LDIF importer, accessible from the Addressbook
(Tools menu). If the chosen file has a line longer than 2047 chars,
sylpheed(-claws) will segfault because the program will try to write
after the end of a 2048 chars static buffer. I don't know if this can
be exploited.

The other two are similar and concern only Sylpheed-Claws. They happen
in the Mutt and Pine addressbook importers found in the same place, and
the problem is the same.

Vulnerable versions:
Sylpheed: from 0.6.4 to 2.0.3 (stable), 2.1.5 (development), 1.0.5 (old)
Sylpheed-Claws: from 0.6.4 to 1.9.99 (included)

Fixed versions:
Sylpheed: >= 2.0.4 (stable), 2.1.6 (development), 1.0.6 (old)
Sylpheed-Claws: >= 1.9.100
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-11-08 02:19:15 UTC
This is semi-public, meaning it's not been announced yet but can be found in
upstream CVS. We are free to commit new releases to Portage.

hattya: we should add the following fixed versions :
sylpheed-2.0.4 (stable)
sylpheed-2.1.6 (~/masked)

genone: for sylpheed-claws, we might need to backport the fix for our 1.0.5
stable line, as only 1.9.100 is released to fix. These are the patches for
sylpheed-claws :

http://colino.net/sylpheed-claws-gtk2/getpatchset.php3?ver=1.9.99cvs13
http://colino.net/sylpheed-claws-gtk2/getpatchset.php3?ver=1.9.99cvs15
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-11-10 08:45:01 UTC
*** Bug 111872 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-11-10 08:45:37 UTC
Now completely public, please patch.
Comment 4 Marius Mauch (RETIRED) gentoo-dev 2005-11-10 10:19:45 UTC
will do what I can at the weekend (I'm currently pretty busy during the week),
hopefully the patch for 1.0.5 shouldn't be tricky. The 1.9 branch might take a
bit longer as it also requires updated plugins (this is why .99 is still p.masked).
Comment 5 Marius Mauch (RETIRED) gentoo-dev 2005-11-11 05:54:29 UTC
Ok, committed a 1.0.5-r1 as ~arch and a p.masked 1.9.100 (due to broken plugins).
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-11-11 11:12:49 UTC
*** Bug 112198 has been marked as a duplicate of this bug. ***
Comment 7 Akinori Hattori gentoo-dev 2005-11-13 02:05:39 UTC
Sylpheed 2.0.4 and 2.1.6 are in CVS.
Comment 8 Marius Mauch (RETIRED) gentoo-dev 2005-11-13 03:57:47 UTC
Sylpheed-claws-1.9.100 unmasked as of a few minutes ago. All that remains to do
for -claws is marking 1.0.5-r1 stable.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2005-11-13 03:59:14 UTC
arches, please test and mark stable if possible:

mail-client/sylpheed-2.0.4:
target keywords: "alpha amd64 hppa ia64 ppc ~ppc64 sparc x86"

mail-client/sylpheed-claws-1.0.5-r1:
target keywords: "alpha amd64 ppc ppc64 sparc x86"
Comment 10 Brent Baude (RETIRED) gentoo-dev 2005-11-13 05:04:19 UTC
marked both ppc64 stable.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-13 10:26:26 UTC
ppc and hppa done.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2005-11-13 10:57:33 UTC
SPARCy SPARC and the stable bunch
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-14 02:35:42 UTC
marked both stable on alpha.
Comment 14 Chris Gianelloni (RETIRED) gentoo-dev 2005-11-14 06:54:50 UTC
x86 is feeling a bit of those good vibrations, too...
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-11-14 13:18:47 UTC
sylpheed doesn't like it when you don't give true settings, it hangs when you
try to set up an account for dev.g.o on port 143... it hangs and you have to
kill it. however, 2.0.1 has the same behaviour, so this gets the amd64 keyword
nevertheless.
both marked stable on amd64
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-11-15 06:15:25 UTC
Thx everyone...

GLSA 200511-13
ia64 should mark stable to benefit from GLSA