Summary: | mail-client/{sylpheed, claws-mail} POP3 format string vulnerability (CVE-2007-2958) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matt Fleming (RETIRED) <mjf> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | genone, matsuu, net-mail+disabled, ticho |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/26550/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matt Fleming (RETIRED)
2007-08-24 22:14:33 UTC
CC'ing maintainer and setting whiteboard status. Forget to include PoC, Proof of Concept: ----------------- Here is a simple PoC: #!/bin/sh echo '-ERR %n%n%n%n' | nc -l -p 110 My bad, fixes are available upstream. net-mail, please provide ebuilds including the fix. sylpheed-2.4.5 was released by upstream. claws-mail-3.0.0 and sylpheed-2.4.5 were in portage. *claws-mail-3.0.0 (03 Sep 2007) 03 Sep 2007; Andrej Kacian <ticho@gentoo.org> -claws-mail-3.0.0_rc1.ebuild, +claws-mail-3.0.0.ebuild: Version bump. *sylpheed-2.4.5 (03 Sep 2007) 03 Sep 2007; Akinori Hattori <hattya@gentoo.org> +sylpheed-2.4.5.ebuild: new upstream release. Arches please test and mark stable. Target keywords are: claws-mail-3.0.0.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd" sylpheed-2.4.5.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ~ppc64 sparc x86" Both stable for HPPA. Here on x86 I still have a severe problem (crashing and deleting folder hierarchy), which is not fatal but very annoying. I am discussing it with upstream. ppc stable (In reply to comment #8) > Here on x86 I still have a severe problem (crashing and deleting folder > hierarchy), which is not fatal but very annoying. I am discussing it with > upstream. I have tested claws-mail and sylpheed with a simple IMAP account and seems to work fine. If someone (Christian, matsuu) thinks this is an obstacle to mark them stable, please drop a comment before tomorrow or I will mark both stable for sparc. Thanks. (In reply to comment #10) > (In reply to comment #8) > > Here on x86 I still have a severe problem (crashing and deleting folder > > hierarchy), which is not fatal but very annoying. I am discussing it with > > upstream. > I have tested claws-mail and sylpheed with a simple IMAP account and seems to > work fine. > If someone (Christian, matsuu) thinks this is an obstacle to mark them stable, > please drop a comment before tomorrow or I will mark both stable for sparc. The problem is not reproducable by upstream and when trying to debug (by special start options) it just vanishes....so I think it is to obscure to hold up stabilisation. Any idea why didn't anyone CC claws-mail maintainers? sparc stable. (In reply to comment #12) > Any idea why didn't anyone CC claws-mail maintainers? > Speaking for myself, sorry, I usually don't check this in security bugs since usually the maintainer was the one who bumped the package to fix the bug (not in this case). I'll give it a look in the future, but IMHO, is more a question for our security ninjas. ppc64 stable @ticho: sorry, my bad. I thought you were part of the herd alias. alpha/ia64 stable x86 stable By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need to go stable as well, because currently stable versions do not compile against 3.0.0, due to API change in this version. Here's the list: mail-client/claws-mail-acpi-notifier-1.0.12 mail-client/claws-mail-attachwarner-0.2.8 mail-client/claws-mail-att-remover-1.0.7 mail-client/claws-mail-cachesaver-0.10.6 mail-client/claws-mail-fetchinfo-0.4.20 mail-client/claws-mail-gtkhtml-0.15.2 mail-client/claws-mail-mailmbox-1.14 mail-client/claws-mail-newmail-0.0.11 mail-client/claws-mail-notification-0.12 mail-client/claws-mail-pdf-viewer-0.6 mail-client/claws-mail-perl-0.9.10 mail-client/claws-mail-rssyl-0.15 mail-client/claws-mail-smime-0.7.2 mail-client/claws-mail-vcalendar-1.96 Not all arches have all (or any) plugins stable, so it's up to the arch teams. mail-client/claws-mail-att-remover-1.0.7 ppc64 mail-client/claws-mail-cachesaver-0.10.6 ppc64 sparc mail-client/claws-mail-fetchinfo-0.4.20 ppc64 mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64 mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc mail-client/claws-mail-pdf-viewer-0.6 ppc64 mail-client/claws-mail-perl-0.9.10 amd64 ppc64 mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64 mail-client/claws-mail-vcalendar-1.96 ppc64 sparc x86 is done in the next couple of minutes thanks Christian. plugins stable on ppc64. (In reply to comment #18) > By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need > to go stable as well, because currently stable versions do not compile against > 3.0.0, due to API change in this version. > > mail-client/claws-mail-vcalendar-1.96 > @Ticho: I found a dependency error (>=curl-7.9.7) with vcalendar-1.96. I think we can handle it here and don't open a new bug for just this error: -- 8< --- checking for curl >= 7.9.7... FAILED configure: WARNING: curl-config was not found --------- Could you fix the error, please? Thanks. Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the correct version is 1.97 (which has no new features, only some bugfixes). Big sorry, everyone! The curl dependency has been fixed in both of them. Readding ppc64 - I wonder why they didn't actually _test_ the plugin before stabilizing... Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that works with 3.0.0. (In reply to comment #22) > Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the > correct version is 1.97 (which has no new features, only some bugfixes). Big > sorry, everyone! Nah! don't worry, shits happens. > > The curl dependency has been fixed in both of them. > Great. > Readding ppc64 - I wonder why they didn't actually _test_ the plugin before > stabilizing... > Indeed, the module throws you an error while loading. Anyway, each arch team has its own way to test things. > Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that > works with 3.0.0. > I've keyworded all the missing sparc modules, thanks opfer for the list. (In reply to comment #22) > Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the > correct version is 1.97 (which has no new features, only some bugfixes). Big > sorry, everyone! Nah! don't worry, shits happens. > > The curl dependency has been fixed in both of them. > Great. > Readding ppc64 - I wonder why they didn't actually _test_ the plugin before > stabilizing... > Indeed, the module throws you an error while loading. Anyway, each arch team has its own way to test things. > Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that > works with 3.0.0. > I've keyworded all the missing sparc modules, thanks opfer for the list. (In reply to comment #22) > Readding ppc64 - I wonder why they didn't actually _test_ the plugin before > stabilizing... Don't forget x86, done now. I actually tested 1.97 (by ACCEPT_KEYWORDS=~x86) and stabled .96 from your list...shit happens. :) sorry, my fault. claws-mail-vcalendar-1.97 stable on ppc64 now. amd64 stable (In reply to comment #19) > mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64 > mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc > mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64 ppc stable That's the last one. GLSA, anyone? (In reply to comment #29) > That's the last one. GLSA, anyone? > yeah, it's 200710-29! |