| Summary: | claws-mail-plugins new security issue CVE-2012-5527 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | jani.valimaa, julien.moragny, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/527917/ | ||
| Whiteboard: | has_procedure mga2-32-OK mga2-64-OK | ||
| Source RPM: | claws-mail-plugins | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-12-04 00:13:45 CET
David Walser
2012-12-04 00:13:56 CET
CC:
(none) =>
julien.moragny
David Walser
2012-12-04 00:14:06 CET
CC:
(none) =>
jani.valimaa Hi, It impacts cauldron as well. I just pushed 3.9.0-2 with the upstream patch to fix this in cauldron. I also pushed an update to updates_testing for mga2 but I messed up the release tag (2.1 instead of 1.2). I will ask sysadm to remove the packages. Status:
NEW =>
ASSIGNED claws-mail-plugins has been removed from updates_testing, so you may fix the release tag and resubmit. Also, I just noticed that the name of the PDF viewer plugin doesn't quite match in mga2 and Cauldron. In mga2 it has an underscore, which seems to be correct and consistent with the way the other subpackages are named, but in Cauldron it doesn't have the underscore. I added it in mga2 when I had to update to 3.8.1 for a previous security update: http://svnweb.mageia.org/packages/updates/2/claws-mail-plugins/current/SPECS/claws-mail-plugins.spec?r1=311823&r2=311825 I recommend renaming it in the Cauldron package. If you don't want to, it needs to obsolete the mga2 one. Summary:
claws-mail-extra-plugins new security issue CVE-2012-5527 =>
claws-mail-plugins new security issue CVE-2012-5527
David Walser
2012-12-30 01:30:53 CET
Source RPM:
claws-mail-extra-plugins =>
claws-mail-plugins Thank you Here is a proposal of advisory : ======================== Updated claws-mail-plugins packages fix security vulnerabilities: A security flaw was found in the way vCalendar plug-in of Claws Mail displayed user credential information in the system tray display when using https scheme. A local attacker could use this flaw to obtain user credentials (username and password) used for connection to remote point. (CVE-2012-5527) References: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 https://bugzilla.redhat.com/show_bug.cgi?id=877372 ======================== Updated packages in core/updates_testing: ======================== claws-mail-acpi-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-address_keeper-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-attachwarner-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-att_remover-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-bsfilter-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-clamd-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-fancy-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-fetchinfo-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-gtkhtml2_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-mailmbox-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-newmail-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-notification-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-pdf_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-perl-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-plugins-debug-3.8.1-1.2.mga2.x86_64.rpm claws-mail-python-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-rssyl-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-spam_report-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-tnef_parse-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-vcalendar-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-vcalendar-plugin-devel-3.8.1-1.2.mga2.x86_64.rpm Source RPM: claws-mail-plugins-3.8.1-1.2.mga2.src.rpm Regarding, pdf_viewer, I just pushed a package with the renaming, it was an error. thanks Hi QA, I just pushed an update for claws-mail-plugins in mga2 updates_testing (see above for the advisory). I don't have a way to easily test the update as it need a vcal server with https auth. When you use this kind of server, when fetching, the systray icon should not display the credentials of the account (see upstream bug report for a screenshot). thanks & regards. Julien Assignee:
julien.moragny =>
qa-bugs Patch checked into Mageia 1 SVN. Testing complete mga2 32 Just loaded as many of the plugins as I could into claws and configured a random webcal calendar from the internet. No errors after updating and vcalendar still works ok.
claire robinson
2013-01-11 16:44:26 CET
Whiteboard:
(none) =>
has_procedure mga2-32-OK Testing mga2 64 Newmail plugin is not functional it gives an error when installed. Error: No such file or directory Plugin is not functional. Hi, thanks for the testing. After investigation, Newmail plugin needs an existing Mail directory inside $HOME and doesn't create one if it isn't present before loading. I will raise a bug upstream. I've created a new mageia bug for it, bug 8725, it was the same in the version in updates. It won't hold up this update. Other than newmail everything seems fine so testing complete mga2 64 Validating Advisory & srpm in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Updaate pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0014 Status:
ASSIGNED =>
RESOLVED |