Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 570692 (CVE-2015-8708) - <mail-client/claws-mail-3.13.2: Stack Overflow (incomplete fix for CVE-2015-8614) (CVE-2015-8708)
Summary: <mail-client/claws-mail-3.13.2: Stack Overflow (incomplete fix for CVE-2015-8...
Status: RESOLVED FIXED
Alias: CVE-2015-8708
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: 525588 CVE-2015-8614
  Show dependency tree
 
Reported: 2016-01-03 09:46 UTC by Agostino Sarubbo
Modified: 2016-06-26 12:42 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-03 09:46:55 UTC
From ${URL} :

Note that two of the bounds checks added in that commit are incorrect:

1. In conv_jistoeuc() the check uses > rather than <, which causes all
   conversions to return an empty string.  This is presumably not a
   security issue, but is a regression.

3. In conv_euctojis() the comparison is with outlen - 3, but each pass
   through the loop uses up to 5 bytes and the rest of the function may
   add another 4 bytes.  The comparison should presumably be 
   '<= outlen - 9' or equivalently '< outlen - 8'.

The first check is fixed by a later commit:
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2016-01-22 23:38:17 UTC
According to the upstream bug this was fixed now:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
And there's just been a new release (3.13.2) which is already in the tree, so I think what's left to do is stabilize it.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-25 07:59:49 UTC
3.13.2 in tree for 30+ days, no open bugs against it. Calling for stabilization:

Arches, please test and mark stable:

=mail-client/claws-mail-3.13.2

Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Thank you!
Comment 3 Jeroen Roovers gentoo-dev 2016-02-27 09:09:57 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:54 UTC
amd64 stable
Comment 5 Tobias Klausmann gentoo-dev 2016-03-14 19:48:50 UTC
Stable on alpha.
Comment 6 Tobias Klausmann gentoo-dev 2016-03-14 19:50:47 UTC
Scratch that. Dependencies missing.

Putting this on the back burner while I deal with other security stuff (since that is the only pushback I have).
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-15 08:32:46 UTC
(In reply to Tobias Klausmann from comment #6)
> Scratch that. Dependencies missing.
> 
> Putting this on the back burner while I deal with other security stuff
> (since that is the only pushback I have).

Yeah, the following dependencies also need stabilization:

USE="gdata":
=dev-libs/libgdata-0.17.4-r1

USE="webkit":
=net-libs/webkit-gtk-2.4.9-r200

repoman didn't show any additional dependencies for these two package regarding alpha. Feel free to mask any of these USE flags.
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-15 16:41:42 UTC
x86 stable
Comment 9 Tobias Klausmann gentoo-dev 2016-03-17 10:17:53 UTC
I stable-maske the webkit USE flag for alpha, thus avoding the need to stabilize it for claws-mail.

libgdata (and its test-dep uhttpmock) I stabilized for alpha, along with clawsmail-3.13.2
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-17 11:34:22 UTC
ppc and ppc64 will drop to ~arch version until there will be stable requests.
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-19 13:15:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-20 17:25:09 UTC
commit e002a44aed76da951c85d7f7ec1e2298f06120be
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Mar 20 18:14:39 2016

    mail-client/claws-mail: Security cleanup (bug #570692).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-26 06:25:43 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 12:42:52 UTC
This issue was resolved and addressed in
 GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11
by GLSA coordinator Aaron Bauman (b-man).