Bug 27427

Summary: claws-mail new security issue CVE-2020-16094
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: jani.valimaa, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: claws-mail-3.17.6-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-15 19:07:58 CEST 
Fedora has issued an advisory today (October 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUBLHUG2UCXVABAGN5FVTD3AB3YKE5NN/

The issue is fixed upstream in 3.17.7.
David Walser 2020-10-15 19:08:18 CEST

CC: (none) => jani.valimaa

Comment 1 David Walser 2020-10-15 22:10:13 CEST 
Updated package uploaded for Mageia 7 by Jani.

Advisory:
========================

Updated claws-mail packages fix security vulnerability:

In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP
server can trigger stack consumption because of unlimited recursion into
subdirectories during a rebuild of the folder tree (CVE-2020-16094).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16094
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUBLHUG2UCXVABAGN5FVTD3AB3YKE5NN/
========================

Updated packages in core/updates_testing:
========================
claws-mail-3.17.7-1.mga7
claws-mail-tools-3.17.7-1.mga7
claws-mail-devel-3.17.7-1.mga7
claws-mail-plugins-3.17.7-1.mga7
claws-mail-acpi-plugin-3.17.7-1.mga7
claws-mail-address_keeper-plugin-3.17.7-1.mga7
claws-mail-archive-plugin-3.17.7-1.mga7
claws-mail-att_remover-plugin-3.17.7-1.mga7
claws-mail-attachwarner-plugin-3.17.7-1.mga7
claws-mail-bogofilter-plugin-3.17.7-1.mga7
claws-mail-bsfilter-plugin-3.17.7-1.mga7
claws-mail-clamd-plugin-3.17.7-1.mga7
claws-mail-dillo-plugin-3.17.7-1.mga7
claws-mail-fetchinfo-plugin-3.17.7-1.mga7
claws-mail-gdata-plugin-3.17.7-1.mga7
claws-mail-libravatar-plugin-3.17.7-1.mga7
claws-mail-litehtml_viewer-plugin-3.17.7-1.mga7
claws-mail-mailmbox-plugin-3.17.7-1.mga7
claws-mail-managesieve-plugin-3.17.7-1.mga7
claws-mail-newmail-plugin-3.17.7-1.mga7
claws-mail-notification-plugin-3.17.7-1.mga7
claws-mail-pdf_viewer-plugin-3.17.7-1.mga7
claws-mail-perl-plugin-3.17.7-1.mga7
claws-mail-pgpcore-plugin-3.17.7-1.mga7
claws-mail-pgpinline-plugin-3.17.7-1.mga7
claws-mail-pgpmime-plugin-3.17.7-1.mga7
claws-mail-python-plugin-3.17.7-1.mga7
claws-mail-rssyl-plugin-3.17.7-1.mga7
claws-mail-smime-plugin-3.17.7-1.mga7
claws-mail-spamassassin-plugin-3.17.7-1.mga7
claws-mail-spam_report-plugin-3.17.7-1.mga7
claws-mail-vcalendar-plugin-3.17.7-1.mga7

from claws-mail-3.17.7-1.mga7.src.rpm

Assignee: julien.moragny => qa-bugs

Comment 2 Aurelien Oudelet 2020-10-21 11:34:48 CEST 
Testing this on M7-GNOME env x86_64

Update smoothly.
Testing pop, imap, ssl/imap, ssl/pop with free.fr provider. OK
Testing send mail via smtp and ssl/smtp free.fr provider. OK

PGP key OK.
Notifications OK.
Gravatar OK.

Seems OK.
Validating.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Aurelien Oudelet 2020-10-21 11:37:47 CEST 
Advisory and packages in Comment 1.
Advisory pushed to svn.

Keywords: (none) => advisory

Comment 4 David Walser 2020-10-21 14:06:10 CEST 
The first bug fix in 3.17.8 sounds like a security issue as well:
https://claws-mail.org/news.php
Comment 5 Mageia Robot 2020-10-21 15:09:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0391.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED