Bug 805338

Summary:	<mail-client/sylpheed-3.7.0-r5: Insufficient link validation (CVE-2021-37746)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	floppym, hattya
Priority:	Normal	Keywords:	PMASKED
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	861776
Bug Blocks:	805335

Description Sam James archtester

2021-07-31 05:56:27 UTC

"textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click."

Comment 1 Hanno Böck gentoo-dev

2022-06-10 15:00:54 UTC

FWIW you can pick the patch from Fedora, they ported the claws patch to sylpheed (which has afaik no active upstream):
https://src.fedoraproject.org/rpms/sylpheed/blob/rawhide/f/sylpheed-3.7.0-uri-check.patch

Comment 2 Larry the Git Cow gentoo-dev

2022-06-12 13:34:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdd19788e941b123628f724764bac32d12a728c

commit cbdd19788e941b123628f724764bac32d12a728c
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2022-06-12 13:33:08 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2022-06-12 13:33:08 +0000

    mail-client/sylpheed: fix CVE-2021-37746
    
    Bug: https://bugs.gentoo.org/805338
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 .../sylpheed/files/sylpheed-CVE-2021-37746.patch   | 39 ++++++++++++
 mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild      | 69 ++++++++++++++++++++++
 2 files changed, 108 insertions(+)

Comment 3 John Helmert III archtester

2022-06-12 13:37:54 UTC

Thanks! Please stable when ready

Comment 4 John Helmert III archtester

2022-08-15 17:29:17 UTC

Please cleanup

Comment 5 Larry the Git Cow gentoo-dev

2022-08-17 12:29:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98d478b5e4a74b802f876ee4160c4b11c0fd0c0

commit d98d478b5e4a74b802f876ee4160c4b11c0fd0c0
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2022-08-17 12:28:32 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2022-08-17 12:28:32 +0000

    mail-client/sylpheed: drop old
    
    Bug: https://bugs.gentoo.org/805338
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 mail-client/sylpheed/sylpheed-3.7.0-r4.ebuild | 66 ---------------------------
 1 file changed, 66 deletions(-)

Comment 6 Larry the Git Cow gentoo-dev

2023-06-03 05:24:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0fca6e9ac605eecb019c47cdc23f38cbcae8474

commit b0fca6e9ac605eecb019c47cdc23f38cbcae8474
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-06-01 18:46:19 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-06-03 05:23:35 +0000

    mail-client/sylpheed: treeclean
    
    Closes: https://bugs.gentoo.org/769293
    Closes: https://bugs.gentoo.org/664070
    Bug: https://bugs.gentoo.org/805338
    Bug: https://bugs.gentoo.org/807358
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 mail-client/sylpheed/Manifest                      |  1 -
 .../sylpheed/files/sylpheed-CVE-2021-37746.patch   | 39 ------------
 mail-client/sylpheed/files/sylpheed-tls-1.3.patch  | 17 ------
 mail-client/sylpheed/metadata.xml                  | 11 ----
 mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild      | 69 ----------------------
 profiles/package.mask                              |  6 --
 6 files changed, 143 deletions(-)

Comment 7 John Helmert III archtester

2023-06-12 04:22:48 UTC

Package is gone, low impact anyway. No GLSA, all done!