| Summary: | claws-mail new security issue fixed upstream in 3.13.1 (CVE-2015-8614) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, jani.valimaa, julien.moragny, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/669041/ | ||
| Whiteboard: | MGA5-64-OK advisory | ||
| Source RPM: | claws-mail-3.11.1-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-12-21 21:49:56 CET
David Walser
2015-12-21 21:50:04 CET
CC:
(none) =>
jani.valimaa CVE-2015-8614 has been assigned: http://openwall.com/lists/oss-security/2015/12/22/2 Summary:
claws-mail new security issue fixed upstream in 3.13.1 =>
claws-mail new security issue fixed upstream in 3.13.1 (CVE-2015-8614) Hi, I don't have access to my computer til next week. I'll look at it when I get back Regzrds Julien
David Walser
2015-12-23 21:58:28 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/669041/ Note that an additional commit from upstream is needed: http://openwall.com/lists/oss-security/2015/12/31/1 It is linked at the bottom of the message above. That commit should also be added in Cauldron, in which it fixes CVE-2015-8708 (for the incomplete fix for CVE-2015-8614). That additional CVE isn't relevant for Mageia 5, since we haven't fixed this yet. Fedora has issued an advisory for this on December 30: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174741.html Patch for CVE-2015-8708 added to Cauldron's claws-mail. About mga5, should we bump 3.11.1 -> 3.13.1 with CVE-2015-8708 fix? Update to 3.13.1 is a bit problematical as claws-mail-gdata-plugin requires newer libgdata than is available in mga5 (0.16.1 available and >= 0.17.1 required). New libgdata would mean new libmajor -> rebuilds. Hello all, To begin with Happy New Year! And thanks for the update on the cauldron package. I just pushed an update for mga5 in update_testing. Below is a proposition for the advisory : ======================== Updated claws-mail fix security vulnerabilities: no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc A Tails contributor found a vulnerability in claws-mail where in codeconv.c a function for japanese character set conversion called conv_jistoeuc() has no bounds checking on the output buffer which is created on the stack with alloca() (CVE-2015-8614). References: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 https://bugs.mageia.org/show_bug.cgi?id=17380 https://security-tracker.debian.org/tracker/CVE-2015-8614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8614 ======================== Updated packages in core/updates_testing: ======================== claws-mail-3.11.1-3.mga5 claws-mail-tools-3.11.1-3.mga5 claws-mail-devel-3.11.1-3.mga5 claws-mail-plugins-3.11.1-3.mga5 claws-mail-archive-plugin-3.11.1-3.mga5 claws-mail-bogofilter-plugin-3.11.1-3.mga5 claws-mail-gdata-plugin-3.11.1-3.mga5 claws-mail-smime-plugin-3.11.1-3.mga5 claws-mail-pgpcore-plugin-3.11.1-3.mga5 claws-mail-pgpinline-plugin-3.11.1-3.mga5 claws-mail-pgpmime-plugin-3.11.1-3.mga5 claws-mail-spamassassin-plugin-3.11.1-3.mga5 claws-mail-acpi-plugin-3.11.1-3.mga5 claws-mail-att_remover-plugin-3.11.1-3.mga5 claws-mail-bsfilter-plugin-3.11.1-3.mga5 claws-mail-fancy-plugin-3.11.1-3.mga5 claws-mail-fetchinfo-plugin-3.11.1-3.mga5 claws-mail-mailmbox-plugin-3.11.1-3.mga5 claws-mail-newmail-plugin-3.11.1-3.mga5 claws-mail-notification-plugin-3.11.1-3.mga5 claws-mail-perl-plugin-3.11.1-3.mga5 claws-mail-python-plugin-3.11.1-3.mga5 claws-mail-rssyl-plugin-3.11.1-3.mga5 claws-mail-vcalendar-plugin-3.11.1-3.mga5 claws-mail-vcalendar-plugin-devel-3.11.1-3.mga5 claws-mail-attachwarner-plugin-3.11.1-3.mga5 claws-mail-spam_report-plugin-3.11.1-3.mga5 claws-mail-tnef_parse-plugin-3.11.1-3.mga5 claws-mail-address_keeper-plugin-3.11.1-3.mga5 claws-mail-clamd-plugin-3.11.1-3.mga5 claws-mail-pdf_viewer-plugin-3.11.1-3.mga5 claws-mail-libravatar-plugin-3.11.1-3.mga5 claws-mail-debuginfo-3.11.1-3.mga5 Source RPM: claws-mail-3.11.1-3.mga5.src.rpm Thanks Julien and Jani! Assigning to QA. Advisory and package list in Comment 8. CC:
(none) =>
julien.moragny FWIW, the x86_64 packages install without pb and I don't see a difference with my usual usage. Testing MGA5 x64, OK Like Comment 10, I use Claws Mail routinely. Before the update I tried one of the POCs http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1602 in bug http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3563 but it sent & received without error... Updated to: claws-mail-3.11.1-3.mga5 claws-mail-bogofilter-plugin-3.11.1-3.mga5 claws-mail-fancy-plugin-3.11.1-3.mga5 claws-mail-pgpcore-plugin-3.11.1-3.mga5 claws-mail-pgpmime-plugin-3.11.1-3.mga5 and played with it a bit, including re-trying the POC. So with the confirmation above - OK. CC:
(none) =>
lewyssmith
Dave Hodgins
2016-01-12 07:29:27 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0008.html Status:
NEW =>
RESOLVED |