A security issue was fixed in claws-mail 3.13.1: http://openwall.com/lists/oss-security/2015/12/21/10 Links to more information and fixes are in the message above. Reproducible: Steps to Reproduce:
CC: (none) => jani.valimaa
CVE-2015-8614 has been assigned: http://openwall.com/lists/oss-security/2015/12/22/2
Summary: claws-mail new security issue fixed upstream in 3.13.1 => claws-mail new security issue fixed upstream in 3.13.1 (CVE-2015-8614)
Hi, I don't have access to my computer til next week. I'll look at it when I get back Regzrds Julien
URL: (none) => http://lwn.net/Vulnerabilities/669041/
Note that an additional commit from upstream is needed: http://openwall.com/lists/oss-security/2015/12/31/1 It is linked at the bottom of the message above. That commit should also be added in Cauldron, in which it fixes CVE-2015-8708 (for the incomplete fix for CVE-2015-8614). That additional CVE isn't relevant for Mageia 5, since we haven't fixed this yet.
Fedora has issued an advisory for this on December 30: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174741.html
Patch for CVE-2015-8708 added to Cauldron's claws-mail.
About mga5, should we bump 3.11.1 -> 3.13.1 with CVE-2015-8708 fix?
Update to 3.13.1 is a bit problematical as claws-mail-gdata-plugin requires newer libgdata than is available in mga5 (0.16.1 available and >= 0.17.1 required). New libgdata would mean new libmajor -> rebuilds.
Hello all, To begin with Happy New Year! And thanks for the update on the cauldron package. I just pushed an update for mga5 in update_testing. Below is a proposition for the advisory : ======================== Updated claws-mail fix security vulnerabilities: no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc A Tails contributor found a vulnerability in claws-mail where in codeconv.c a function for japanese character set conversion called conv_jistoeuc() has no bounds checking on the output buffer which is created on the stack with alloca() (CVE-2015-8614). References: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 https://bugs.mageia.org/show_bug.cgi?id=17380 https://security-tracker.debian.org/tracker/CVE-2015-8614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8614 ======================== Updated packages in core/updates_testing: ======================== claws-mail-3.11.1-3.mga5 claws-mail-tools-3.11.1-3.mga5 claws-mail-devel-3.11.1-3.mga5 claws-mail-plugins-3.11.1-3.mga5 claws-mail-archive-plugin-3.11.1-3.mga5 claws-mail-bogofilter-plugin-3.11.1-3.mga5 claws-mail-gdata-plugin-3.11.1-3.mga5 claws-mail-smime-plugin-3.11.1-3.mga5 claws-mail-pgpcore-plugin-3.11.1-3.mga5 claws-mail-pgpinline-plugin-3.11.1-3.mga5 claws-mail-pgpmime-plugin-3.11.1-3.mga5 claws-mail-spamassassin-plugin-3.11.1-3.mga5 claws-mail-acpi-plugin-3.11.1-3.mga5 claws-mail-att_remover-plugin-3.11.1-3.mga5 claws-mail-bsfilter-plugin-3.11.1-3.mga5 claws-mail-fancy-plugin-3.11.1-3.mga5 claws-mail-fetchinfo-plugin-3.11.1-3.mga5 claws-mail-mailmbox-plugin-3.11.1-3.mga5 claws-mail-newmail-plugin-3.11.1-3.mga5 claws-mail-notification-plugin-3.11.1-3.mga5 claws-mail-perl-plugin-3.11.1-3.mga5 claws-mail-python-plugin-3.11.1-3.mga5 claws-mail-rssyl-plugin-3.11.1-3.mga5 claws-mail-vcalendar-plugin-3.11.1-3.mga5 claws-mail-vcalendar-plugin-devel-3.11.1-3.mga5 claws-mail-attachwarner-plugin-3.11.1-3.mga5 claws-mail-spam_report-plugin-3.11.1-3.mga5 claws-mail-tnef_parse-plugin-3.11.1-3.mga5 claws-mail-address_keeper-plugin-3.11.1-3.mga5 claws-mail-clamd-plugin-3.11.1-3.mga5 claws-mail-pdf_viewer-plugin-3.11.1-3.mga5 claws-mail-libravatar-plugin-3.11.1-3.mga5 claws-mail-debuginfo-3.11.1-3.mga5 Source RPM: claws-mail-3.11.1-3.mga5.src.rpm
Thanks Julien and Jani! Assigning to QA. Advisory and package list in Comment 8.
CC: (none) => julien.moragnyAssignee: julien.moragny => qa-bugs
FWIW, the x86_64 packages install without pb and I don't see a difference with my usual usage.
Testing MGA5 x64, OK Like Comment 10, I use Claws Mail routinely. Before the update I tried one of the POCs http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1602 in bug http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3563 but it sent & received without error... Updated to: claws-mail-3.11.1-3.mga5 claws-mail-bogofilter-plugin-3.11.1-3.mga5 claws-mail-fancy-plugin-3.11.1-3.mga5 claws-mail-pgpcore-plugin-3.11.1-3.mga5 claws-mail-pgpmime-plugin-3.11.1-3.mga5 and played with it a bit, including re-trying the POC. So with the confirmation above - OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0008.html
Status: NEW => RESOLVEDResolution: (none) => FIXED