From ${URL} : Note that two of the bounds checks added in that commit are incorrect: 1. In conv_jistoeuc() the check uses > rather than <, which causes all conversions to return an empty string. This is presumably not a security issue, but is a regression. 3. In conv_euctojis() the comparison is with outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be '<= outlen - 9' or equivalently '< outlen - 8'. The first check is fixed by a later commit: http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
According to the upstream bug this was fixed now: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 And there's just been a new release (3.13.2) which is already in the tree, so I think what's left to do is stabilize it.
3.13.2 in tree for 30+ days, no open bugs against it. Calling for stabilization: Arches, please test and mark stable: =mail-client/claws-mail-3.13.2 Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86" Thank you!
Stable for HPPA.
amd64 stable
Stable on alpha.
Scratch that. Dependencies missing. Putting this on the back burner while I deal with other security stuff (since that is the only pushback I have).
(In reply to Tobias Klausmann from comment #6) > Scratch that. Dependencies missing. > > Putting this on the back burner while I deal with other security stuff > (since that is the only pushback I have). Yeah, the following dependencies also need stabilization: USE="gdata": =dev-libs/libgdata-0.17.4-r1 USE="webkit": =net-libs/webkit-gtk-2.4.9-r200 repoman didn't show any additional dependencies for these two package regarding alpha. Feel free to mask any of these USE flags.
x86 stable
I stable-maske the webkit USE flag for alpha, thus avoding the need to stabilize it for claws-mail. libgdata (and its test-dep uhttpmock) I stabilized for alpha, along with clawsmail-3.13.2
ppc and ppc64 will drop to ~arch version until there will be stable requests.
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit e002a44aed76da951c85d7f7ec1e2298f06120be Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Mar 20 18:14:39 2016 mail-client/claws-mail: Security cleanup (bug #570692). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201606-11 at https://security.gentoo.org/glsa/201606-11 by GLSA coordinator Aaron Bauman (b-man).