Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 570692 (CVE-2015-8708)

Summary: <mail-client/claws-mail-3.13.2: Stack Overflow (incomplete fix for CVE-2015-8614) (CVE-2015-8708)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: boxcars, gentoo, net-mail+disabled, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 525588, 569010    

Description Agostino Sarubbo gentoo-dev 2016-01-03 09:46:55 UTC
From ${URL} :

Note that two of the bounds checks added in that commit are incorrect:

1. In conv_jistoeuc() the check uses > rather than <, which causes all
   conversions to return an empty string.  This is presumably not a
   security issue, but is a regression.

3. In conv_euctojis() the comparison is with outlen - 3, but each pass
   through the loop uses up to 5 bytes and the rest of the function may
   add another 4 bytes.  The comparison should presumably be 
   '<= outlen - 9' or equivalently '< outlen - 8'.

The first check is fixed by a later commit:;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2016-01-22 23:38:17 UTC
According to the upstream bug this was fixed now:
And there's just been a new release (3.13.2) which is already in the tree, so I think what's left to do is stabilize it.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:59:49 UTC
3.13.2 in tree for 30+ days, no open bugs against it. Calling for stabilization:

Arches, please test and mark stable:


Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Thank you!
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 09:09:57 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:54 UTC
amd64 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 19:48:50 UTC
Stable on alpha.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 19:50:47 UTC
Scratch that. Dependencies missing.

Putting this on the back burner while I deal with other security stuff (since that is the only pushback I have).
Comment 7 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-15 08:32:46 UTC
(In reply to Tobias Klausmann from comment #6)
> Scratch that. Dependencies missing.
> Putting this on the back burner while I deal with other security stuff
> (since that is the only pushback I have).

Yeah, the following dependencies also need stabilization:



repoman didn't show any additional dependencies for these two package regarding alpha. Feel free to mask any of these USE flags.
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-15 16:41:42 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-17 10:17:53 UTC
I stable-maske the webkit USE flag for alpha, thus avoding the need to stabilize it for claws-mail.

libgdata (and its test-dep uhttpmock) I stabilized for alpha, along with clawsmail-3.13.2
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-17 11:34:22 UTC
ppc and ppc64 will drop to ~arch version until there will be stable requests.
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-19 13:15:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-20 17:25:09 UTC
commit e002a44aed76da951c85d7f7ec1e2298f06120be
Author: Lars Wendler <>
Date:   Sun Mar 20 18:14:39 2016

    mail-client/claws-mail: Security cleanup (bug #570692).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <>
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 06:25:43 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 12:42:52 UTC
This issue was resolved and addressed in
 GLSA 201606-11 at
by GLSA coordinator Aaron Bauman (b-man).