Bug 29356

Summary:	sylpheed, claws-mail new security issue CVE-2021-37746
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	geiger.david68210, herman.viaene, jani.valimaa, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	sylpheed-3.7.0-4.mga8.src.rpm, claws-mail-3.17.8-3.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2021-08-11 06:49:36 CEST

Fedora has issued an advisory today (August 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RCJXHUSYHGVBSH2ULD7HNXLM7QNRECZ6/

The issue is fixed upstream in claws-mail 3.18.0, and Fedora has a patch for sylpheed.

The claws-mail package in Cauldron has already been updated.  Mageia 8 is affected for both packages.

David Walser 2021-08-11 06:50:17 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => geiger.david68210, jani.valimaa
Status comment: (none) => Fixed upstream in claws-mail 3.18.0, Patch available from Fedora for sylpheed

Comment 1 David Walser 2021-08-11 17:54:57 CEST

Fixed packages uploaded by Jani.

claws-mail-3.18.0-1.mga8
claws-mail-litehtml_viewer-plugin-3.18.0-1.mga8
claws-mail-devel-3.18.0-1.mga8
claws-mail-tools-3.18.0-1.mga8
claws-mail-vcalendar-plugin-3.18.0-1.mga8
claws-mail-notification-plugin-3.18.0-1.mga8
claws-mail-rssyl-plugin-3.18.0-1.mga8
claws-mail-mailmbox-plugin-3.18.0-1.mga8
claws-mail-pgpcore-plugin-3.18.0-1.mga8
claws-mail-managesieve-plugin-3.18.0-1.mga8
claws-mail-perl-plugin-3.18.0-1.mga8
claws-mail-archive-plugin-3.18.0-1.mga8
claws-mail-spamassassin-plugin-3.18.0-1.mga8
claws-mail-pdf_viewer-plugin-3.18.0-1.mga8
claws-mail-libravatar-plugin-3.18.0-1.mga8
claws-mail-clamd-plugin-3.18.0-1.mga8
claws-mail-bogofilter-plugin-3.18.0-1.mga8
claws-mail-gdata-plugin-3.18.0-1.mga8
claws-mail-bsfilter-plugin-3.18.0-1.mga8
claws-mail-acpi-plugin-3.18.0-1.mga8
claws-mail-smime-plugin-3.18.0-1.mga8
claws-mail-pgpmime-plugin-3.18.0-1.mga8
claws-mail-pgpinline-plugin-3.18.0-1.mga8
claws-mail-spam_report-plugin-3.18.0-1.mga8
claws-mail-att_remover-plugin-3.18.0-1.mga8
claws-mail-address_keeper-plugin-3.18.0-1.mga8
claws-mail-dillo-plugin-3.18.0-1.mga8
claws-mail-attachwarner-plugin-3.18.0-1.mga8
claws-mail-fetchinfo-plugin-3.18.0-1.mga8
claws-mail-newmail-plugin-3.18.0-1.mga8
claws-mail-plugins-3.18.0-1.mga8
sylpheed-3.7.0-4.1.mga8
libsylpheed0_1-3.7.0-4.1.mga8
libsylpheed-devel-3.7.0-4.1.mga8

from SRPMS:
claws-mail-3.18.0-1.mga8.src.rpm
sylpheed-3.7.0-4.1.mga8.src.rpm

Status comment: Fixed upstream in claws-mail 3.18.0, Patch available from Fedora for sylpheed => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2021-08-13 15:08:22 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
Tested both sylpheed and claws-mail to access my hotmail account. Receiving and sending to other account works OK in both.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

David Walser 2021-08-14 21:16:41 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 David Walser 2021-08-14 21:21:44 CEST

Advisory:
========================

Updated sylpheed and claws-mail packages fix security vulnerability:

The textview_uri_security_check() function in textview.c in Claws Mail before
3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before
accepting a click (CVE-2021-37746).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37746
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RCJXHUSYHGVBSH2ULD7HNXLM7QNRECZ6/

David Walser 2021-08-14 21:50:54 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-08-15 10:39:31 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0408.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED