Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 176805

Summary: mail-client/claws-mail APOP design error (CVE-2007-1558)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: genone, net-mail+disabled, ticho
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
Whiteboard: B3 [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 13:02:12 UTC 
+++ This bug was initially created as a clone of Bug #175021 +++

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2007-05-02 13:08:37 UTC 
mail-client/claws-mail-2.9.1 which is already in the tree fixes this security issue.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 13:38:08 UTC 
Thx for the note armin76.

Arches please test and mark stable. Target keywords are:
claws-mail-2.9.1.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd"
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2007-05-02 14:35:25 UTC 
amd64 stable
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-05-02 14:36:11 UTC 
*** Bug 176808 has been marked as a duplicate of this bug. ***
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 15:43:56 UTC 
sparc stable.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-05-02 16:39:40 UTC 
ppc64 stable
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2007-05-02 17:13:25 UTC 
Why doesn't anyone wait for the package maintainer?

In addition to claws-mail-2.9.1, following plugins need to be stabilized as well, because current stable versions have API incompatible with 2.9.1:

=mail-client/claws-mail-gtkhtml-0.15
=mail-client/claws-mail-mailmbox-1.12.4
=mail-client/claws-mail-rssyl-0.12
=mail-client/claws-mail-vcalendar-1.95
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 18:53:00 UTC 
Sorry ticho, my bad.

/me slaps /me
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 19:05:16 UTC 
sparc stable claws-mail-mailmbox and claws-mail-vcalendar. the others aren't keyworded.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-05-02 19:40:42 UTC 
plug ins stable on ppc64
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-05-03 17:27:05 UTC 
x86 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-03 18:51:31 UTC 
ppc stable
Comment 13 Steve Dibb (RETIRED) gentoo-dev 2007-05-03 19:11:12 UTC 
plugins stable on amd64
Comment 14 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-05-04 11:37:32 UTC 
claws-mail stable on alpha.

We don't need to keyword any of the plugins as we don't have any stable mark in the one that we have keyworded.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-05 12:16:13 UTC 
Sorry for the late response. claws-mail suffers a glibc bug specific to HPPA where a program will hang indefinitely waiting for a child process to signal back. All versions so far compile, but cannot be used until glibc-2.5 goes stable for HPPA. Therefore I cannot test it and this security bug should hence go forward without HPPA.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:54:49 UTC 
This one is ready for GLSA vote. I tend to vote NO.
Comment 17 Daniel Black (RETIRED) gentoo-dev 2007-05-19 23:16:52 UTC 
no glsa please
Comment 18 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-05-20 15:32:16 UTC 
I vote no, too.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 16:05:53 UTC 
Closing with NO GLSA.