Bug 20809 - libetpan new security issue CVE-2017-8825
Summary: libetpan new security issue CVE-2017-8825
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-05-09 03:43 CEST by David Walser
Modified: 2017-06-28 12:12 CEST (History)
7 users (show)

See Also:
Source RPM: libetpan-1.7.2-1.mga6.src.rpm
CVE: CVE-2017-8825
Status comment:


Description David Walser 2017-05-09 03:43:47 CEST
A security issue fixed upstream in libetpan has been announced:

The issue is fixed in 1.8.

The message above contains a link to the upstream commit that fixed the issue.

Mageia 5 is also affected.
David Walser 2017-05-09 03:43:54 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-05-09 07:41:53 CEST
Fixed in cauldron

Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Version: Cauldron => 5

Nicolas Lécureuil 2017-05-09 07:42:01 CEST

CVE: (none) => CVE-2017-8825

Comment 2 Marja Van Waes 2017-05-09 11:49:51 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Mike Rambo 2017-06-14 20:18:24 CEST
Patched package uploaded for Mageia 5.


Updated libetpan package fixes security vulnerability:

It was discovered that libetpan, a C language mail access and handling library that is used in a number of MUAs, contained a NULL dereference vulnerability in the MIME handling code (CVE-2017-8825)


Updated packages in core/updates_testing:

from libetpan-1.6-1.1.mga5.src.rpm

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-06-18 08:05:34 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Herman Viaene 2017-06-19 13:48:02 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Claws mail is dependent on libetpan17.
Opened claw mail and sent message (including an attachment) and with
$ strace -o libetpan17 claws-mail 
found in the trace file
open("/lib/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

So OK for me.

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2017-06-27 20:33:52 CEST
Testing M5_64

 $ urpmq -i lib64etpan17
The purpose of this mail library is to provide a portable, efficient
framework for different kinds of mail access.
 $ urpmq --whatrequires lib64etpan17
I use Claws-mail routinely.

BEFORE the update: ib64etpan17-1.6-1.mga5

AFTER the update: lib64etpan17-1.6-1.1.mga5
 $ strace claws-mail 2>&1 | grep libetpan
open("/lib64/libetpan.so.17", O_RDONLY|O_CLOEXEC) = 3

Sent a few messages to myself at 2 addresses, with attachment. All looks OK.
Validating; already advisoried.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-28 12:12:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.