Bug 27458 - claws-mail new possible security issue fixed upstream in 3.17.8
Summary: claws-mail new possible security issue fixed upstream in 3.17.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-21 16:56 CEST by David Walser
Modified: 2020-10-24 19:53 CEST (History)
3 users (show)

See Also:
Source RPM: claws-mail-3.17.7-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-21 16:56:31 CEST
Claws Mail 3.17.8 has been released on October 19:
https://claws-mail.org/news.php

The first bug fix listed sounds like a security issue:
* Shielded template's |program{} and |attach_program{} so that the
  command-line that is executed does not allow sequencing such as
  with && || ;, preventing possible execution of nasty, or at least
  unexpected, commands
Comment 1 Jani Välimaa 2020-10-23 10:34:37 CEST
Pushed 3.17.8 to core/updates for mga7. Please test.

SRPMS:
claws-mail-3.17.8-1.mga7

RPMS:
claws-mail-3.17.8-1.mga7
claws-mail-tools-3.17.8-1.mga7
claws-mail-devel-3.17.8-1.mga7
claws-mail-plugins-3.17.8-1.mga7
claws-mail-acpi-plugin-3.17.8-1.mga7
claws-mail-address_keeper-plugin-3.17.8-1.mga7
claws-mail-archive-plugin-3.17.8-1.mga7
claws-mail-att_remover-plugin-3.17.8-1.mga7
claws-mail-attachwarner-plugin-3.17.8-1.mga7
claws-mail-bogofilter-plugin-3.17.8-1.mga7
claws-mail-bsfilter-plugin-3.17.8-1.mga7
claws-mail-clamd-plugin-3.17.8-1.mga7
claws-mail-dillo-plugin-3.17.8-1.mga7
claws-mail-fetchinfo-plugin-3.17.8-1.mga7
claws-mail-gdata-plugin-3.17.8-1.mga7
claws-mail-libravatar-plugin-3.17.8-1.mga7
claws-mail-litehtml_viewer-plugin-3.17.8-1.mga7
claws-mail-mailmbox-plugin-3.17.8-1.mga7
claws-mail-managesieve-plugin-3.17.8-1.mga7
claws-mail-newmail-plugin-3.17.8-1.mga7
claws-mail-notification-plugin-3.17.8-1.mga7
claws-mail-pdf_viewer-plugin-3.17.8-1.mga7
claws-mail-perl-plugin-3.17.8-1.mga7
claws-mail-pgpcore-plugin-3.17.8-1.mga7
claws-mail-pgpinline-plugin-3.17.8-1.mga7
claws-mail-pgpmime-plugin-3.17.8-1.mga7
claws-mail-python-plugin-3.17.8-1.mga7
claws-mail-rssyl-plugin-3.17.8-1.mga7
claws-mail-smime-plugin-3.17.8-1.mga7
claws-mail-spamassassin-plugin-3.17.8-1.mga7
claws-mail-spam_report-plugin-3.17.8-1.mga7
claws-mail-vcalendar-plugin-3.17.8-1.mga7

Assignee: julien.moragny => qa-bugs

Comment 2 Aurelien Oudelet 2020-10-23 11:58:44 CEST
Packages in core/updates_testing

Testing under M7 MATE and XFCE x86_64.
3.17.8-1.mga7 installs OK.

Compose mail, send and receive is OK under SSL/IMAP, POP, IMAP and SSL/SMTP and SMTP.

Seems OK.

Recently tested.
Advisory pushed to SVN.

Advisory:
----------------------------------------------------------------------
Updated claws-mail packages fix a security vulnerability

description:

Shielded template's |program{} and |attach_program{} so that the
command-line that is executed does not allow sequencing such as
with && || ;, preventing possible execution of nasty, or at least
unexpected, commands. (No CVE).

references:
- https://claws-mail.org/news.php

SRPM:
claws-mail-3.17.8-1.mga7

----------------------------------------------------------------------

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 3 Mageia Robot 2020-10-24 19:53:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0394.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.