Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84056 - mail-client/{sylpheed|sylpheed-claws} buffer overflow
Summary: mail-client/{sylpheed|sylpheed-claws} buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://sylpheed.good-day.net/
Whiteboard: B2 [glsa] jaervosz
Keywords:
: 84379 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-04 01:03 UTC by fbusse
Modified: 2005-03-21 06:22 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description fbusse 2005-03-04 01:03:36 UTC
Hello,
The new version fixes at least one critical buffer overflow, which has been fixed in 1.0.3 and the svn-branch for the development-version. Here's the annoucement:

From: Hiroyuki Yamamoto <hiro-y@kcn.ne.jp>

Hello,

Since a buffer overflow bug was found, I've made an urgent release of
1.0.3. This problem exists in almost all of the older version, so be
sure to upgrade. In the development version, it is fixed on the svn
trunk.

Changes:

 * A buffer overflow which occurred when replying to a message with
   certain headers which contain non-ascii characters was fixed.
 * A memory leak of the composition window was fixed.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-04 01:23:54 UTC
Akinori please bump.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 02:11:14 UTC
hattya / net-mail: please bump to 1.0.3
Comment 3 fbusse 2005-03-07 01:45:23 UTC
Development version 1.9.5 with the same fix has been released.
Comment 4 fbusse 2005-03-07 11:36:44 UTC
The new version in portage (1.9.5) works fine for me, but please also include the references-patch from 1.9.2 (works without change for 1.9.5 as well).
Comment 5 Daniel Webert 2005-03-08 05:36:03 UTC
*** Bug 84379 has been marked as a duplicate of this bug. ***
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-09 12:53:44 UTC
*sylpheed-1.0.3 (07 Mar 2005)

  07 Mar 2005; Akinori Hattori <hattya@gentoo.org> +sylpheed-1.0.3.ebuild:
  new upstream release. fixes bug #84056 and #84379.

Thx for noting Langthan.

Akinori Hattori please comment on the bug next time.

Arches please test and mark stable.
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-09 13:11:40 UTC
Stable on ppc.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-09 13:14:28 UTC
Oopps. Reopen.
Comment 9 Danny van Dyk (RETIRED) gentoo-dev 2005-03-09 16:29:08 UTC
Stable on amd64.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-03-09 22:32:20 UTC
stable on ppc64
Comment 11 rob holland (RETIRED) gentoo-dev 2005-03-10 03:28:09 UTC
a quick look at compose.c in sylpheed-claws suggests its vulnerable to the compose overflow.
Comment 12 rob holland (RETIRED) gentoo-dev 2005-03-10 03:33:27 UTC
I used this patch as a reference:

http://sylpheed.good-day.net/sylpheed/v1.0/sylpheed-1.0.2-1.0.3.patch.gz

And checked the source after:

rob@leet ~ $ sudo ebuild /usr/portage/mail-client/sylpheed-claws/sylpheed-claws-1.0.1.1.ebuild unpack

This version is vulnerable to the overflow which the above patch correct in sylpheed.

I haven't checked other versions, but I assume they also contain the flaw.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-10 03:36:33 UTC
Adding genone to advise on sylpheed-claws.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-10 05:49:20 UTC
sparc stable.
Comment 15 Marius Mauch (RETIRED) gentoo-dev 2005-03-10 11:28:40 UTC
-claws is also affected, 1.0.3 has the patch and just got into cvs as ~arch as I still have to test it a little bit more and also check the plugins.
Comment 16 Marius Mauch (RETIRED) gentoo-dev 2005-03-12 06:56:34 UTC
sylpheed-claws-1.0.3 marked stable on x86 and amd64, still needs ppc, sparc and alpha love.
Comment 17 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-12 08:03:58 UTC
Stable on ppc.
Comment 18 Jason Wever (RETIRED) gentoo-dev 2005-03-12 11:35:39 UTC
Stable on SPARC.
Comment 19 Guy Martin (RETIRED) gentoo-dev 2005-03-14 00:57:02 UTC
Stable on hppa \o/
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-03-14 01:30:36 UTC
sylpheed-1.0.3 still needs x86 and alpha stable (ia64 should also mark stable)
sylpheed-claws-1.0.3 still needs alpha stable
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-17 13:20:46 UTC
Alpha stable.
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-18 13:50:36 UTC
Hattya, please mark Sylpeed stable on x86.
Comment 23 Luke Macken (RETIRED) gentoo-dev 2005-03-20 14:40:43 UTC
  19 Mar 2005; Akinori Hattori <hattya@gentoo.org> sylpheed-1.0.3.ebuild:
  stable on x86. fixes bug #84056.

Thanks hattya, but please update the bug next time.  Ready for GLSA.
Comment 24 Luke Macken (RETIRED) gentoo-dev 2005-03-20 15:53:13 UTC
GLSA 200503-26.

ia64, please mark stable to benefit from GLSA.
Comment 25 Akinori Hattori gentoo-dev 2005-03-21 06:22:03 UTC
Stable on ia64.