Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 569010 (CVE-2015-8614)

Summary: <mail-client/claws-mail-3.13.1: Stack Overflow (CVE-2015-8614)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: craig, gentoo, net-mail+disabled, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 568954, 569828, 569830, 570692    
Bug Blocks: 525588, 569826    

Description Hanno Böck gentoo-dev 2015-12-21 15:15:17 UTC 
This upstream bug was fixed in 3.13.1:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557

The title is "Remotely exploitable bug", but the information is a bit unclear. It looks like this is a stack overflow. Anyway, probably means 3.13.1 should receive fast stabilization and a GLSA.

This version also fixes two oob errors I reported, I don't think they're security risks, but for completeness here they are (some consider every oob issue to be worthy of treating as a potential security issue):
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3559
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3563
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-12-26 13:02:27 UTC 
Arches please test and mark stable =mail-client/claws-mail-3.13.1 with target KEYWORDS:

alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~x86-fbsd
Comment 2 Craig Inches 2015-12-27 17:45:06 UTC 
AMD 64: OK
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-29 06:40:31 UTC 
Stable for HPPA.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-29 06:49:29 UTC 
I'm having a bit of trouble testing on PPC64 since dev-libs/libgdata -> net-libs/gnome-online-accounts -> [PDEPEND]: gnome-base/gnome-control-center pulls in half the GNOME distribution. I could mask USE=gnome easily, though.
Comment 5 Agostino Sarubbo gentoo-dev 2016-01-05 10:40:24 UTC 
we will continue in bug 570692
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 06:28:25 UTC 
Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 12:42:42 UTC 
This issue was resolved and addressed in
 GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11
by GLSA coordinator Aaron Bauman (b-man).