Bug 7886

Summary: claws-mail new security issue CVE-2012-4507
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: marc.lattemann, shlomif, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/520758/
Whiteboard: MGA1TOO, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK
Source RPM: claws-mail-3.8.0-3.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-10-23 16:52:50 CEST 
OpenSuSE has issued an advisory on October 22:
http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html

Patched packages uploaded for Mageia 1 and Cauldron.

Updated package uploaded for Mageia 2 (release version doesn't build).

Advisory:
========================

Updated claws-mail packages fix security vulnerability:

The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1
and earlier allows remote attackers to cause a denial of service (NULL
pointer dereference and crash) via a crafted email (CVE-2012-4507).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4507
http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html
========================

Updated packages in core/updates_testing:
========================
claws-mail-3.7.8-2.1.mga1
claws-mail-devel-3.7.8-2.1.mga1
claws-mail-bogofilter-plugin-3.7.8-2.1.mga1
claws-mail-smime-plugin-3.7.8-2.1.mga1
claws-mail-dillo_viewer-plugin-3.7.8-2.1.mga1
claws-mail-pgpcore-plugin-3.7.8-2.1.mga1
claws-mail-pgpinline-plugin-3.7.8-2.1.mga1
claws-mail-pgpmime-plugin-3.7.8-2.1.mga1
claws-mail-spamassassin-plugin-3.7.8-2.1.mga1
claws-mail-trayicon-plugin-3.7.8-2.1.mga1
claws-mail-3.8.1-1.mga2
claws-mail-devel-3.8.1-1.mga2
claws-mail-bogofilter-plugin-3.8.1-1.mga2
claws-mail-smime-plugin-3.8.1-1.mga2
claws-mail-dillo_viewer-plugin-3.8.1-1.mga2
claws-mail-pgpcore-plugin-3.8.1-1.mga2
claws-mail-pgpinline-plugin-3.8.1-1.mga2
claws-mail-pgpmime-plugin-3.8.1-1.mga2
claws-mail-spamassassin-plugin-3.8.1-1.mga2
claws-mail-trayicon-plugin-3.8.1-1.mga2

from SRPMS:
claws-mail-3.7.8-2.1.mga1.src.rpm
claws-mail-3.8.1-1.mga2.src.rpm
David Walser 2012-10-23 16:52:58 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Shlomi Fish 2012-10-27 20:18:13 CEST 
The new claws-mails works fine on Mageia Linux 2 x86-64.

Regards,

-- Shlomi Fish

CC: (none) => shlomif
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 2 claire robinson 2012-10-29 19:22:16 CET 
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=862578#c11
Comment 3 Marc Lattemann 2012-10-29 22:48:38 CET 
couldn't reproduce PoC from Comment #2. Maybe I did something wrong?

However tested standard mail features (receiving and sending mails) and no issues detected. Tested on mga2/1 i586 and x86_64.

validating updates.

see Advisory and src-rpm in Description.

Could sysadmin push packages to Updates? Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK

Comment 4 David Walser 2012-10-29 22:53:38 CET 
(In reply to comment #3)
> couldn't reproduce PoC from Comment #2. Maybe I did something wrong?

Did you download the attachment (which is actually called xx0008, not x0008)?

Did you then cat that file to /var/spool/mail/${USER}   ?  It should be USER and not HOME as in the bug post.

Did you configure claws-mail to use your local UNIX mbox account and try to open the inbox?  Did you then try to open the messages?
Comment 5 Thomas Backlund 2012-10-29 23:11:58 CET 
dropping validated status as tests are still going on...

Keywords: validated_update => (none)
CC: (none) => tmb

Comment 6 claire robinson 2012-10-30 15:39:40 CET 
Configured claws-mail to use mbox format at /var/mail/claire (that is the default and is symlinked to spool/mail).

Started it and then ..

$ cat xx0008 >> /var/mail/claire

When I get new messages I can see the new message but it doesn't cause any crash in release or update.

Revalidating based on Marc's previous testing.

Advisory & srpms in comment 0

Thanks

Keywords: (none) => validated_update

Comment 7 Marc Lattemann 2012-10-30 15:54:13 CET 
(In reply to comment #6)
> When I get new messages I can see the new message but it doesn't cause any
> crash in release or update.

I agree: with the help of David I could get the local mbox working but claws did not crash according to the PoC.

CC: (none) => marc.lattemann

Comment 8 Thomas Backlund 2012-10-30 22:39:56 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0318

Status: NEW => RESOLVED
Resolution: (none) => FIXED