|Summary:||<mail-client/claws-mail-3.13.1: Stack Overflow (CVE-2015-8614)|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||craig, gentoo, net-mail, polynomial-c|
|Whiteboard:||B2 [glsa cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||568954, 569828, 569830, 570692|
|Bug Blocks:||525588, 569826|
Description Hanno Böck 2015-12-21 15:15:17 UTC
This upstream bug was fixed in 3.13.1: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 The title is "Remotely exploitable bug", but the information is a bit unclear. It looks like this is a stack overflow. Anyway, probably means 3.13.1 should receive fast stabilization and a GLSA. This version also fixes two oob errors I reported, I don't think they're security risks, but for completeness here they are (some consider every oob issue to be worthy of treating as a potential security issue): http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3559 http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3563
Comment 1 Lars Wendler (Polynomial-C) 2015-12-26 13:02:27 UTC
Arches please test and mark stable =mail-client/claws-mail-3.13.1 with target KEYWORDS: alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~x86-fbsd
Comment 2 Craig Inches 2015-12-27 17:45:06 UTC
AMD 64: OK
Comment 3 Jeroen Roovers (RETIRED) 2015-12-29 06:40:31 UTC
Stable for HPPA.
Comment 4 Jeroen Roovers (RETIRED) 2015-12-29 06:49:29 UTC
I'm having a bit of trouble testing on PPC64 since dev-libs/libgdata -> net-libs/gnome-online-accounts -> [PDEPEND]: gnome-base/gnome-control-center pulls in half the GNOME distribution. I could mask USE=gnome easily, though.
Comment 6 Yury German 2016-04-26 06:28:25 UTC
Added to an existing GLSA Request.