Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190104 - mail-client/{sylpheed, claws-mail} POP3 format string vulnerability (CVE-2007-2958)
Summary: mail-client/{sylpheed, claws-mail} POP3 format string vulnerability (CVE-2007...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26550/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-24 22:14 UTC by Matt Fleming (RETIRED)
Modified: 2007-10-25 22:13 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:14:33 UTC
Secunia Research has discovered a vulnerability in Sylpheed and
Sylpheed-Claws (Claws Mail), which potentially can be exploited by
malicious people to compromise a vulnerable system.


Vulnerability details:
----------------------

A format string error in the "inc_put_error()" function in src/inc.c
when displaying a POP3 server's error reply can potentially be exploited
to execute arbitrary code via specially crafted POP3 server replies
containing format specifiers.

The offending line of code looks like this in Sylpheed:

                alertpanel_error(err_msg);

It looks like this in Claws Mail:
 
                alertpanel_error_log(err_msg);

Successful exploitation potentially allows arbitrary code execution, but
requires that the user is tricked into connecting to a malicious POP3
server.

The vulnerability is confirmed in Sylpheed 2.4.4, Sylpheed-Claws
1.9.100, and Sylpheed-Claws (Claws Mail) 2.10.0. Other versions may also
be affected.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:22:19 UTC
CC'ing maintainer and setting whiteboard status.

Forget to include PoC,

Proof of Concept:
-----------------

Here is a simple PoC:

#!/bin/sh                                                                       
echo '-ERR %n%n%n%n' | nc -l -p 110
Comment 2 Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:46:29 UTC
My bad, fixes are available upstream.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-31 09:53:48 UTC
net-mail, please provide ebuilds including the fix.
Comment 4 MATSUU Takuto (RETIRED) gentoo-dev 2007-08-31 15:44:35 UTC
sylpheed-2.4.5 was released by upstream.
Comment 5 MATSUU Takuto (RETIRED) gentoo-dev 2007-09-07 04:50:09 UTC
claws-mail-3.0.0 and sylpheed-2.4.5 were in portage.

*claws-mail-3.0.0 (03 Sep 2007)

  03 Sep 2007; Andrej Kacian <ticho@gentoo.org>
  -claws-mail-3.0.0_rc1.ebuild, +claws-mail-3.0.0.ebuild:
  Version bump.

*sylpheed-2.4.5 (03 Sep 2007)

  03 Sep 2007; Akinori Hattori <hattya@gentoo.org> +sylpheed-2.4.5.ebuild:
  new upstream release.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-08 15:45:09 UTC
Arches please test and mark stable. Target keywords are:

claws-mail-3.0.0.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd"

sylpheed-2.4.5.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ~ppc64 sparc x86"
Comment 7 Jeroen Roovers gentoo-dev 2007-09-08 16:22:23 UTC
Both stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 19:01:03 UTC
Here on x86 I still have a severe problem (crashing and deleting folder hierarchy), which is not fatal but very annoying.  I am discussing it with upstream.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-10 18:20:16 UTC
ppc stable
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-12 12:38:15 UTC
(In reply to comment #8)
> Here on x86 I still have a severe problem (crashing and deleting folder
> hierarchy), which is not fatal but very annoying.  I am discussing it with
> upstream.

I have tested claws-mail and sylpheed with a simple IMAP account and seems to work fine. 

If someone (Christian, matsuu) thinks this is an obstacle to mark them stable, please drop a comment before tomorrow or I will mark both stable for sparc.

Thanks.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-12 13:20:52 UTC
(In reply to comment #10)
> (In reply to comment #8)
> > Here on x86 I still have a severe problem (crashing and deleting folder
> > hierarchy), which is not fatal but very annoying.  I am discussing it with
> > upstream.
> I have tested claws-mail and sylpheed with a simple IMAP account and seems to
> work fine. 
> If someone (Christian, matsuu) thinks this is an obstacle to mark them stable,
> please drop a comment before tomorrow or I will mark both stable for sparc.

 The problem is not reproducable by upstream and when trying to debug (by special start options) it just vanishes....so I think it is to obscure to hold up stabilisation.
Comment 12 Andrej Kacian (RETIRED) gentoo-dev 2007-09-12 16:45:07 UTC
Any idea why didn't anyone CC claws-mail maintainers?
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-13 09:11:51 UTC
sparc stable.

(In reply to comment #12)
> Any idea why didn't anyone CC claws-mail maintainers?
> 

Speaking for myself, sorry, I usually don't check this in security bugs since usually the maintainer was the one who bumped the package to fix the bug (not in this case). I'll give it a look in the future, but IMHO, is more a question for our security ninjas.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-09-13 11:46:28 UTC
ppc64 stable
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-13 13:13:51 UTC
@ticho: sorry, my bad. I thought you were part of the herd alias.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-09-13 17:40:19 UTC
alpha/ia64 stable
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-13 17:52:12 UTC
x86 stable
Comment 18 Andrej Kacian (RETIRED) gentoo-dev 2007-09-13 18:10:46 UTC
By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need to go stable as well, because currently stable versions do not compile against 3.0.0, due to API change in this version.

Here's the list:

mail-client/claws-mail-acpi-notifier-1.0.12
mail-client/claws-mail-attachwarner-0.2.8
mail-client/claws-mail-att-remover-1.0.7
mail-client/claws-mail-cachesaver-0.10.6
mail-client/claws-mail-fetchinfo-0.4.20
mail-client/claws-mail-gtkhtml-0.15.2
mail-client/claws-mail-mailmbox-1.14
mail-client/claws-mail-newmail-0.0.11
mail-client/claws-mail-notification-0.12
mail-client/claws-mail-pdf-viewer-0.6
mail-client/claws-mail-perl-0.9.10
mail-client/claws-mail-rssyl-0.15
mail-client/claws-mail-smime-0.7.2
mail-client/claws-mail-vcalendar-1.96

Not all arches have all (or any) plugins stable, so it's up to the arch teams.
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-13 18:18:28 UTC
mail-client/claws-mail-att-remover-1.0.7 ppc64
mail-client/claws-mail-cachesaver-0.10.6 ppc64 sparc
mail-client/claws-mail-fetchinfo-0.4.20 ppc64
mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64
mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc
mail-client/claws-mail-pdf-viewer-0.6 ppc64
mail-client/claws-mail-perl-0.9.10 amd64 ppc64
mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64
mail-client/claws-mail-vcalendar-1.96 ppc64 sparc

x86 is done in the next couple of minutes
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2007-09-13 20:38:16 UTC
thanks Christian. plugins stable on ppc64.
Comment 21 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-14 08:14:20 UTC
(In reply to comment #18)
> By the way, in addition to claws-mail-3.0.0 going stable, all its plugins need
> to go stable as well, because currently stable versions do not compile against
> 3.0.0, due to API change in this version.
> 
> mail-client/claws-mail-vcalendar-1.96
> 


@Ticho: I found a dependency error (>=curl-7.9.7) with vcalendar-1.96. 
I think we can handle it here and don't open a new bug for just this error:

-- 8< ---
checking for curl >= 7.9.7... FAILED
configure: WARNING: curl-config was not found
---------

Could you fix the error, please? Thanks.
Comment 22 Andrej Kacian (RETIRED) gentoo-dev 2007-09-14 09:01:57 UTC
Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the correct version is 1.97 (which has no new features, only some bugfixes). Big sorry, everyone!

The curl dependency has been fixed in both of them.

Readding ppc64 - I wonder why they didn't actually _test_ the plugin before stabilizing...

Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that works with 3.0.0.
Comment 23 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-14 10:10:48 UTC
(In reply to comment #22)
> Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the
> correct version is 1.97 (which has no new features, only some bugfixes). Big
> sorry, everyone!

Nah! don't worry, shits happens.

> 
> The curl dependency has been fixed in both of them.
> 

Great.

> Readding ppc64 - I wonder why they didn't actually _test_ the plugin before
> stabilizing...
>

Indeed, the module throws you an error while loading. Anyway, each arch team has its own way to test things.
 
> Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that
> works with 3.0.0.
> 

I've keyworded all the missing sparc modules, thanks opfer for the list.
Comment 24 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-14 10:11:06 UTC
(In reply to comment #22)
> Actually, after waking up today, I have no idea why I said vcalendar-1.96 - the
> correct version is 1.97 (which has no new features, only some bugfixes). Big
> sorry, everyone!

Nah! don't worry, shits happens.

> 
> The curl dependency has been fixed in both of them.
> 

Great.

> Readding ppc64 - I wonder why they didn't actually _test_ the plugin before
> stabilizing...
>

Indeed, the module throws you an error while loading. Anyway, each arch team has its own way to test things.
 
> Once again, sorry for the extra work, claws-mail-vcalendar-1.97 is the one that
> works with 3.0.0.
> 

I've keyworded all the missing sparc modules, thanks opfer for the list.
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-14 11:14:51 UTC
(In reply to comment #22)
> Readding ppc64 - I wonder why they didn't actually _test_ the plugin before
> stabilizing...

 Don't forget x86, done now.  I actually tested 1.97 (by ACCEPT_KEYWORDS=~x86) and stabled .96 from your list...shit happens. :)
Comment 26 Markus Rothe (RETIRED) gentoo-dev 2007-09-14 12:56:37 UTC
sorry, my fault. claws-mail-vcalendar-1.97 stable on ppc64 now.
Comment 27 Christoph Mende (RETIRED) gentoo-dev 2007-09-16 16:32:54 UTC
amd64 stable
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-17 17:47:52 UTC
(In reply to comment #19)
> mail-client/claws-mail-gtkhtml-0.15.2 amd64 ppc ppc64
> mail-client/claws-mail-mailmbox-1.14 amd64 ppc ppc64 sparc
> mail-client/claws-mail-rssyl-0.15 amd64 ppc ppc64

ppc stable
Comment 29 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 18:11:31 UTC
That's the last one. GLSA, anyone?
Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-25 22:13:41 UTC
(In reply to comment #29)
> That's the last one. GLSA, anyone?
> 

yeah, it's 200710-29!