Package: libgmime-2.0-2a Severity: grave Tags: security patch Hi
GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast <f...@novell.com> * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Thanks in advance. Cheers Steffen References: [1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/ [2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes [3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz [4] http://secunia.com/advisories/38459/
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/ChangeLog gmime-2.4.15/ChangeLog --- gmime-2.4.14/ChangeLog 2010-01-30 17:28:48.000000000 +0000 +++ gmime-2.4.15/ChangeLog 2010-02-02 13:51:02.000000000 +0000 @@ -1,3 +1,16 @@ +2010-02-02 Jeffrey Stedfast <f...@novell.com> + + * README: Bumped version + + * configure.in: Bumped version to 2.4.15 + + * build/vs2008/gmime.vcproj: Bumped version. + +2010-01-31 Jeffrey Stedfast <f...@novell.com> + + * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent + possible buffer overflows. + 2010-01-30 Jeffrey Stedfast <f...@novell.com> * README: Bumped version diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/docs/reference/xml/gmime-encodings.xml gmime-2.4.15/docs/reference/xml/gmime-encodings.xml --- gmime-2.4.14/docs/reference/xml/gmime-encodings.xml 2010-01-30 17:30:37.000000000 +0000 +++ gmime-2.4.15/docs/reference/xml/gmime-encodings.xml 2010-02-02 13:53:42.000000000 +0000 @@ -488,7 +488,7 @@ </para></refsect2> <refsect2 id="GMIME-UUENCODE-LEN--CAPS" role="macro"> <title>GMIME_UUENCODE_LEN()</title> -<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62)) +<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 64)) </programlisting> <para> Calculates the maximum number of bytes needed to uuencode the full diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/gmime/gmime-encodings.h gmime-2.4.15/gmime/gmime-encodings.h --- gmime-2.4.14/gmime/gmime-encodings.h 2009-04-24 02:04:47.000000000 +0000 +++ gmime-2.4.15/gmime/gmime-encodings.h 2010-02-01 13:32:53.000000000 +0000 @@ -91,7 +91,7 @@ * Returns: the number of output bytes needed to uuencode an input * buffer of size @x. **/ -#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62)) +#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 64)) /**