From ${URL} : Description Some vulnerabilities with an unknown impact have been reported in Sylpheed. The vulnerabilities are caused due to some unspecified errors, which can be exploited to cause buffer overflows. No further information is currently available. The vulnerabilities are reported in versions prior to 3.3.1. Solution: Update to version 3.3.1 or later. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.sraoss.jp/pipermail/sylpheed/2014-March/005979.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
*** Bug 502822 has been marked as a duplicate of this bug. ***
=mail-client/sylpheed-3.4.1 is ready to stabilize
arches, please stablize: =mail-client/sylpheed-3.4.2
Stable for HPPA PPC64.
amd64 stable
x86 stable
Stable on alpha.
ppc stable
sparc stable
ia64 stable
Maintainer(s), Thank you for you for cleanup. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
dropped <mail-client/sylpheed-3.4.2
In communication with upstream: I have released a security update for libraries included in the Windows binary package, but there is no CVE for Sylpheed 3.4.x itself. -- Hiroyuki Yamamoto <yamamoto@sraoss.co.jp> SRA OSS, Inc. Japan
(In reply to Yury German from comment #13) > In communication with upstream: > > I have released a security update for libraries included in the Windows > binary package, but there is no CVE for Sylpheed 3.4.x itself. > > -- > Hiroyuki Yamamoto <yamamoto@sraoss.co.jp> > SRA OSS, Inc. Japan So the vulnerability has been mitigated in the tree with the removal of < 3.4.2. Why wait on a CVE from something released in 2014?
No PoC for buffer overflow or ACE/RCE. Code was audited via static analysis and never followed up with. Redesignating. GLSA Vote: No