Bug 17722

Summary: claws-mail new security issue CVE-2015-8708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: julien.moragny, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/674837/
Whiteboard: advisory MGA5-64-OK
Source RPM: claws-mail-3.11.1-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-09 18:24:27 CET 
Fedora has issued an advisory on February 7:
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176949.html

Jani has already fixed the issue with a patch in Mageia 5 SVN (and Cauldron has been updated to 3.13.2 to fix this), but we still need to push an update for it.

Reproducible: 

Steps to Reproduce:
David Walser 2016-02-09 18:24:38 CET

CC: (none) => julien.moragny

Comment 1 Julien Moragny 2016-02-14 13:40:40 CET 
Hi, 

Thanks to Jani, packages are already in update_testing. So here is a a proposition of advisory :

========================

Updated claws-mail fix security vulnerabilities CVE-2015-8708:

A stack-based buffer overflow has been found in conv_euctojis() after applying 
incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with 
outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be
 '<= outlen - 9' or equivalently '< outlen - 8'.

References:
https://bugs.mageia.org/show_bug.cgi?id=17722
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176949.html
https://security-tracker.debian.org/tracker/CVE-2015-8708

========================

Updated packages in core/updates_testing:
========================
claws-mail-3.11.1-3.1mga5
claws-mail-tools-3.11.1-3.1mga5
claws-mail-devel-3.11.1-3.1mga5
claws-mail-plugins-3.11.1-3.1mga5
claws-mail-archive-plugin-3.11.1-3.1mga5
claws-mail-bogofilter-plugin-3.11.1-3.1mga5
claws-mail-gdata-plugin-3.11.1-3.1mga5
claws-mail-smime-plugin-3.11.1-3.1mga5
claws-mail-pgpcore-plugin-3.11.1-3.1mga5
claws-mail-pgpinline-plugin-3.11.1-3.1mga5
claws-mail-pgpmime-plugin-3.11.1-3.1mga5
claws-mail-spamassassin-plugin-3.11.1-3.1mga5
claws-mail-acpi-plugin-3.11.1-3.1mga5
claws-mail-att_remover-plugin-3.11.1-3.1mga5
claws-mail-bsfilter-plugin-3.11.1-3.1mga5
claws-mail-fancy-plugin-3.11.1-3.1mga5
claws-mail-fetchinfo-plugin-3.11.1-3.1mga5
claws-mail-mailmbox-plugin-3.11.1-3.1mga5
claws-mail-newmail-plugin-3.11.1-3.1mga5
claws-mail-notification-plugin-3.11.1-3.1mga5
claws-mail-perl-plugin-3.11.1-3.1mga5
claws-mail-python-plugin-3.11.1-3.1mga5
claws-mail-rssyl-plugin-3.11.1-3.1mga5
claws-mail-vcalendar-plugin-3.11.1-3.1mga5
claws-mail-vcalendar-plugin-devel-3.11.1-3.1mga5
claws-mail-attachwarner-plugin-3.11.1-3.1mga5
claws-mail-spam_report-plugin-3.11.1-3.1mga5
claws-mail-tnef_parse-plugin-3.11.1-3.1mga5
claws-mail-address_keeper-plugin-3.11.1-3.1mga5
claws-mail-clamd-plugin-3.11.1-3.1mga5
claws-mail-pdf_viewer-plugin-3.11.1-3.1mga5
claws-mail-libravatar-plugin-3.11.1-3.1mga5
claws-mail-debuginfo-3.11.1-3.1mga5


Source RPM:
claws-mail-3.11.1-3.1mga5.src.rpm

Status: NEW => ASSIGNED

Comment 2 Julien Moragny 2016-02-14 13:43:24 CET 
Scratch comment 1, there is an error in the numbering of the packages:


========================

Updated claws-mail fix security vulnerabilities CVE-2015-8708:

A stack-based buffer overflow has been found in conv_euctojis() after applying 
incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with 
outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be
 '<= outlen - 9' or equivalently '< outlen - 8'.

References:
https://bugs.mageia.org/show_bug.cgi?id=17722
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176949.html
https://security-tracker.debian.org/tracker/CVE-2015-8708

========================

Updated packages in core/updates_testing:
========================
claws-mail-3.11.1-3.1.mga5
claws-mail-tools-3.11.1-3.1.mga5
claws-mail-devel-3.11.1-3.1.mga5
claws-mail-plugins-3.11.1-3.1.mga5
claws-mail-archive-plugin-3.11.1-3.1.mga5
claws-mail-bogofilter-plugin-3.11.1-3.1.mga5
claws-mail-gdata-plugin-3.11.1-3.1.mga5
claws-mail-smime-plugin-3.11.1-3.1.mga5
claws-mail-pgpcore-plugin-3.11.1-3.1.mga5
claws-mail-pgpinline-plugin-3.11.1-3.1.mga5
claws-mail-pgpmime-plugin-3.11.1-3.1.mga5
claws-mail-spamassassin-plugin-3.11.1-3.1.mga5
claws-mail-acpi-plugin-3.11.1-3.1.mga5
claws-mail-att_remover-plugin-3.11.1-3.1.mga5
claws-mail-bsfilter-plugin-3.11.1-3.1.mga5
claws-mail-fancy-plugin-3.11.1-3.1.mga5
claws-mail-fetchinfo-plugin-3.11.1-3.1.mga5
claws-mail-mailmbox-plugin-3.11.1-3.1.mga5
claws-mail-newmail-plugin-3.11.1-3.1.mga5
claws-mail-notification-plugin-3.11.1-3.1.mga5
claws-mail-perl-plugin-3.11.1-3.1.mga5
claws-mail-python-plugin-3.11.1-3.1.mga5
claws-mail-rssyl-plugin-3.11.1-3.1.mga5
claws-mail-vcalendar-plugin-3.11.1-3.1.mga5
claws-mail-vcalendar-plugin-devel-3.11.1-3.1.mga5
claws-mail-attachwarner-plugin-3.11.1-3.1.mga5
claws-mail-spam_report-plugin-3.11.1-3.1.mga5
claws-mail-tnef_parse-plugin-3.11.1-3.1.mga5
claws-mail-address_keeper-plugin-3.11.1-3.1.mga5
claws-mail-clamd-plugin-3.11.1-3.1.mga5
claws-mail-pdf_viewer-plugin-3.11.1-3.1.mga5
claws-mail-libravatar-plugin-3.11.1-3.1.mga5
claws-mail-debuginfo-3.11.1-3.1.mga5


Source RPM:
claws-mail-3.11.1-3.1.mga5.src.rpm
Comment 3 Julien Moragny 2016-02-14 13:46:13 CET 
FWIW, I'm using this version (from update_testing) for some days without problem on MGA5 x86_64.
reassigning to qa-bugs

Assignee: jani.valimaa => qa-bugs

David Walser 2016-02-14 16:23:25 CET

Whiteboard: (none) => MGA5-64-OK

Comment 4 Lewis Smith 2016-02-14 21:03:50 CET 
Testing M5 x64

I use claws-mail routinely, but only some pkgs, which I updated:
 claws-mail-3.11.1-3.1.mga5
 claws-mail-bogofilter-plugin-3.11.1-3.1.mga5
 claws-mail-fancy-plugin-3.11.1-3.1.mga5
 claws-mail-pgpcore-plugin-3.11.1-3.1.mga5
 claws-mail-pgpmime-plugin-3.11.1-3.1.mga5

Have just used the result for various tasks, all works as usual.
So I QA confirm the x64 OK.

CC: (none) => lewyssmith

Comment 5 claire robinson 2016-02-15 11:38:39 CET 
Validating. Advisory uploaded.

Please push to 5 updates, thanks.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-02-17 20:21:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0067.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED