OpenSuSE has issued an advisory on October 22: http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html Patched packages uploaded for Mageia 1 and Cauldron. Updated package uploaded for Mageia 2 (release version doesn't build). Advisory: ======================== Updated claws-mail packages fix security vulnerability: The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted email (CVE-2012-4507). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4507 http://lists.opensuse.org/opensuse-updates/2012-10/msg00064.html ======================== Updated packages in core/updates_testing: ======================== claws-mail-3.7.8-2.1.mga1 claws-mail-devel-3.7.8-2.1.mga1 claws-mail-bogofilter-plugin-3.7.8-2.1.mga1 claws-mail-smime-plugin-3.7.8-2.1.mga1 claws-mail-dillo_viewer-plugin-3.7.8-2.1.mga1 claws-mail-pgpcore-plugin-3.7.8-2.1.mga1 claws-mail-pgpinline-plugin-3.7.8-2.1.mga1 claws-mail-pgpmime-plugin-3.7.8-2.1.mga1 claws-mail-spamassassin-plugin-3.7.8-2.1.mga1 claws-mail-trayicon-plugin-3.7.8-2.1.mga1 claws-mail-3.8.1-1.mga2 claws-mail-devel-3.8.1-1.mga2 claws-mail-bogofilter-plugin-3.8.1-1.mga2 claws-mail-smime-plugin-3.8.1-1.mga2 claws-mail-dillo_viewer-plugin-3.8.1-1.mga2 claws-mail-pgpcore-plugin-3.8.1-1.mga2 claws-mail-pgpinline-plugin-3.8.1-1.mga2 claws-mail-pgpmime-plugin-3.8.1-1.mga2 claws-mail-spamassassin-plugin-3.8.1-1.mga2 claws-mail-trayicon-plugin-3.8.1-1.mga2 from SRPMS: claws-mail-3.7.8-2.1.mga1.src.rpm claws-mail-3.8.1-1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
The new claws-mails works fine on Mageia Linux 2 x86-64. Regards, -- Shlomi Fish
CC: (none) => shlomifWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=862578#c11
couldn't reproduce PoC from Comment #2. Maybe I did something wrong? However tested standard mail features (receiving and sending mails) and no issues detected. Tested on mga2/1 i586 and x86_64. validating updates. see Advisory and src-rpm in Description. Could sysadmin push packages to Updates? Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK
(In reply to comment #3) > couldn't reproduce PoC from Comment #2. Maybe I did something wrong? Did you download the attachment (which is actually called xx0008, not x0008)? Did you then cat that file to /var/spool/mail/${USER} ? It should be USER and not HOME as in the bug post. Did you configure claws-mail to use your local UNIX mbox account and try to open the inbox? Did you then try to open the messages?
dropping validated status as tests are still going on...
Keywords: validated_update => (none)CC: (none) => tmb
Configured claws-mail to use mbox format at /var/mail/claire (that is the default and is symlinked to spool/mail). Started it and then .. $ cat xx0008 >> /var/mail/claire When I get new messages I can see the new message but it doesn't cause any crash in release or update. Revalidating based on Marc's previous testing. Advisory & srpms in comment 0 Thanks
Keywords: (none) => validated_update
(In reply to comment #6) > When I get new messages I can see the new message but it doesn't cause any > crash in release or update. I agree: with the help of David I could get the local mbox working but claws did not crash according to the PoC.
CC: (none) => marc.lattemann
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0318
Status: NEW => RESOLVEDResolution: (none) => FIXED