Claws-mail embeds a copy of libytnef, but it's missing the security fix for CVE-2010-5109. I've added a patch to claws-mail in cauldron and mga4 from upstream git to fix it: http://git.claws-mail.org/?p=claws.git;a=commit;h=a8df3ae48ad5732018934b378abb11a022735c5e Please test claws-mail pkgs from core/updates_testing. More info: ========== https://bugs.debian.org/771360 https://bugzilla.redhat.com/show_bug.cgi?id=831322 RPMs: ===== claws-mail-3.11.1-1.1.mga4 claws-mail-tools-3.11.1-1.1.mga4 claws-mail-devel-3.11.1-1.1.mga4 claws-mail-plugins-3.11.1-1.1.mga4 claws-mail-archive-plugin-3.11.1-1.1.mga4 claws-mail-bogofilter-plugin-3.11.1-1.1.mga4 claws-mail-gdata-plugin-3.11.1-1.1.mga4 claws-mail-smime-plugin-3.11.1-1.1.mga4 claws-mail-pgpcore-plugin-3.11.1-1.1.mga4 claws-mail-pgpinline-plugin-3.11.1-1.1.mga4 claws-mail-pgpmime-plugin-3.11.1-1.1.mga4 claws-mail-spamassassin-plugin-3.11.1-1.1.mga4 claws-mail-acpi-plugin-3.11.1-1.1.mga4 claws-mail-att_remover-plugin-3.11.1-1.1.mga4 claws-mail-bsfilter-plugin-3.11.1-1.1.mga4 claws-mail-fancy-plugin-3.11.1-1.1.mga4 claws-mail-fetchinfo-plugin-3.11.1-1.1.mga4 claws-mail-mailmbox-plugin-3.11.1-1.1.mga4 claws-mail-newmail-plugin-3.11.1-1.1.mga4 claws-mail-notification-plugin-3.11.1-1.1.mga4 claws-mail-perl-plugin-3.11.1-1.1.mga4 claws-mail-python-plugin-3.11.1-1.1.mga4 claws-mail-rssyl-plugin-3.11.1-1.1.mga4 claws-mail-vcalendar-plugin-3.11.1-1.1.mga4 claws-mail-vcalendar-plugin-devel-3.11.1-1.1.mga4 claws-mail-attachwarner-plugin-3.11.1-1.1.mga4 claws-mail-spam_report-plugin-3.11.1-1.1.mga4 claws-mail-tnef_parse-plugin-3.11.1-1.1.mga4 claws-mail-address_keeper-plugin-3.11.1-1.1.mga4 claws-mail-clamd-plugin-3.11.1-1.1.mga4 claws-mail-pdf_viewer-plugin-3.11.1-1.1.mga4 claws-mail-libravatar-plugin-3.11.1-1.1.mga4 Reproducible: Steps to Reproduce:
Source RPM: claws-mail-4.11.1 => claws-mail-3.11.1-1.mga4
Why isn't it using the system libytnef?
Most probably because of latest libytnef release is from 2004. Claws-mail devs have also made some changes to the code.
So libytnef is only used by evolution. You'd think developers of two GNOME mail programs could get together to co-maintain it. Anyway, I wonder if claws-mail's changes could just be integrated into the system one then.
To help picking the long list of pkgs, here they are from Description sorted: claws-mail-3.11.1-1.1.mga4 claws-mail-acpi-plugin-3.11.1-1.1.mga4 claws-mail-address_keeper-plugin-3.11.1-1.1.mga4 claws-mail-archive-plugin-3.11.1-1.1.mga4 claws-mail-att_remover-plugin-3.11.1-1.1.mga4 claws-mail-attachwarner-plugin-3.11.1-1.1.mga4 claws-mail-bogofilter-plugin-3.11.1-1.1.mga4 claws-mail-bsfilter-plugin-3.11.1-1.1.mga4 claws-mail-clamd-plugin-3.11.1-1.1.mga4 claws-mail-devel-3.11.1-1.1.mga4 claws-mail-fancy-plugin-3.11.1-1.1.mga4 claws-mail-fetchinfo-plugin-3.11.1-1.1.mga4 claws-mail-gdata-plugin-3.11.1-1.1.mga4 claws-mail-libravatar-plugin-3.11.1-1.1.mga4 claws-mail-mailmbox-plugin-3.11.1-1.1.mga4 claws-mail-newmail-plugin-3.11.1-1.1.mga4 claws-mail-notification-plugin-3.11.1-1.1.mga4 claws-mail-pdf_viewer-plugin-3.11.1-1.1.mga4 claws-mail-perl-plugin-3.11.1-1.1.mga4 claws-mail-pgpcore-plugin-3.11.1-1.1.mga4 claws-mail-pgpinline-plugin-3.11.1-1.1.mga4 claws-mail-pgpmime-plugin-3.11.1-1.1.mga4 claws-mail-plugins-3.11.1-1.1.mga4 claws-mail-python-plugin-3.11.1-1.1.mga4 claws-mail-rssyl-plugin-3.11.1-1.1.mga4 claws-mail-smime-plugin-3.11.1-1.1.mga4 claws-mail-spam_report-plugin-3.11.1-1.1.mga4 claws-mail-spamassassin-plugin-3.11.1-1.1.mga4 claws-mail-tnef_parse-plugin-3.11.1-1.1.mga4 claws-mail-tools-3.11.1-1.1.mga4 claws-mail-vcalendar-plugin-3.11.1-1.1.mga4 claws-mail-vcalendar-plugin-devel-3.11.1-1.1.mga4
CC: (none) => lewyssmith
Testing MGA4 x64 real hardware. Installed from normal repos all the Claws modules cited (which pulled in many other things, worst ClamAV and its huge database). Configured it to an e-mail account, and sent a coupe of messages to myself. All OK. Updated from Updates Testing all the pkgs to 3.11.1-1.1.mga4. Continued use of the program, plus a few extras like queueing outgoing msgs before sending them, creating sub-folders, moving msgs into them, emptying Deleted. All OK. OKing this update.
Whiteboard: (none) => MGA4-64-OK
Testing on Mageia4x32, real hardware From claws-mail-3.11.1-1.mga4 ----------------------------- plus all 31 packages listed in Comment 4 Configured a google mail existing IMAP account, retrieved and sent messages. To claws-mail-3.11.1-1.1.mga4 ----------------------------- Found my gmail account, sent messages, some with attachments, charged some modules (spamassassin, vcalendar, new mail...), deleted, moved messages, created sub-folder. Looks good.
CC: (none) => olchalWhiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
@Jani, David: Can we have an advisory for this one?
CC: (none) => remi
How's this? Advisory: ======================== Updated claws-mail package fixes security vulnerability: Off-by-one error in the DecompressRTF function in ytnef.c in Yerase's TNEF Stream Reader allows remote attackers to cause a denial of service (crash) via a crafted TNEF file, which triggers a buffer overflow (CVE-2010-5109). The claws-mail package contains an embedded copf of libytnef, which has been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5109 http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487 http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771360
Perfect, advisory uploaded :-) Validating.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advioryCC: (none) => sysadmin-bugs
Whiteboard: MGA4-64-OK MGA4-32-OK adviory => MGA4-64-OK MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0531.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN made a page for this CVE: http://lwn.net/Vulnerabilities/627327/ as their previous page for libytnef didn't have a CVE listed. I've let them know that they're the same: http://lwn.net/Vulnerabilities/506955/