Bug 7886 - claws-mail new security issue CVE-2012-4507
: claws-mail new security issue CVE-2012-4507
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/520758/
: MGA1TOO, MGA2-64-OK, MGA2-32-OK, MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-23 16:52 CEST by David Walser
Modified: 2012-10-30 22:39 CET (History)
4 users (show)

See Also:
Source RPM: claws-mail-3.8.0-3.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-10-23 16:52:50 CEST
OpenSuSE has issued an advisory on October 22:
http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html

Patched packages uploaded for Mageia 1 and Cauldron.

Updated package uploaded for Mageia 2 (release version doesn't build).

Advisory:
========================

Updated claws-mail packages fix security vulnerability:

The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1
and earlier allows remote attackers to cause a denial of service (NULL
pointer dereference and crash) via a crafted email (CVE-2012-4507).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4507
http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html
========================

Updated packages in core/updates_testing:
========================
claws-mail-3.7.8-2.1.mga1
claws-mail-devel-3.7.8-2.1.mga1
claws-mail-bogofilter-plugin-3.7.8-2.1.mga1
claws-mail-smime-plugin-3.7.8-2.1.mga1
claws-mail-dillo_viewer-plugin-3.7.8-2.1.mga1
claws-mail-pgpcore-plugin-3.7.8-2.1.mga1
claws-mail-pgpinline-plugin-3.7.8-2.1.mga1
claws-mail-pgpmime-plugin-3.7.8-2.1.mga1
claws-mail-spamassassin-plugin-3.7.8-2.1.mga1
claws-mail-trayicon-plugin-3.7.8-2.1.mga1
claws-mail-3.8.1-1.mga2
claws-mail-devel-3.8.1-1.mga2
claws-mail-bogofilter-plugin-3.8.1-1.mga2
claws-mail-smime-plugin-3.8.1-1.mga2
claws-mail-dillo_viewer-plugin-3.8.1-1.mga2
claws-mail-pgpcore-plugin-3.8.1-1.mga2
claws-mail-pgpinline-plugin-3.8.1-1.mga2
claws-mail-pgpmime-plugin-3.8.1-1.mga2
claws-mail-spamassassin-plugin-3.8.1-1.mga2
claws-mail-trayicon-plugin-3.8.1-1.mga2

from SRPMS:
claws-mail-3.7.8-2.1.mga1.src.rpm
claws-mail-3.8.1-1.mga2.src.rpm
Comment 1 Shlomi Fish 2012-10-27 20:18:13 CEST
The new claws-mails works fine on Mageia Linux 2 x86-64.

Regards,

-- Shlomi Fish
Comment 2 claire robinson 2012-10-29 19:22:16 CET
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=862578#c11
Comment 3 Marc Lattemann 2012-10-29 22:48:38 CET
couldn't reproduce PoC from Comment #2. Maybe I did something wrong?

However tested standard mail features (receiving and sending mails) and no issues detected. Tested on mga2/1 i586 and x86_64.

validating updates.

see Advisory and src-rpm in Description.

Could sysadmin push packages to Updates? Thanks.
Comment 4 David Walser 2012-10-29 22:53:38 CET
(In reply to comment #3)
> couldn't reproduce PoC from Comment #2. Maybe I did something wrong?

Did you download the attachment (which is actually called xx0008, not x0008)?

Did you then cat that file to /var/spool/mail/${USER}   ?  It should be USER and not HOME as in the bug post.

Did you configure claws-mail to use your local UNIX mbox account and try to open the inbox?  Did you then try to open the messages?
Comment 5 Thomas Backlund 2012-10-29 23:11:58 CET
dropping validated status as tests are still going on...
Comment 6 claire robinson 2012-10-30 15:39:40 CET
Configured claws-mail to use mbox format at /var/mail/claire (that is the default and is symlinked to spool/mail).

Started it and then ..

$ cat xx0008 >> /var/mail/claire

When I get new messages I can see the new message but it doesn't cause any crash in release or update.

Revalidating based on Marc's previous testing.

Advisory & srpms in comment 0

Thanks
Comment 7 Marc Lattemann 2012-10-30 15:54:13 CET
(In reply to comment #6)
> When I get new messages I can see the new message but it doesn't cause any
> crash in release or update.

I agree: with the help of David I could get the local mbox working but claws did not crash according to the PoC.
Comment 8 Thomas Backlund 2012-10-30 22:39:56 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0318

Note You need to log in before you can comment on or make changes to this bug.