Bug#568291: possible buffer overflows

[Steffen Joeris]

Package: libgmime-2.0-2a
Severity: grave
Tags: security patch

Hi

GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:

2010-01-31  Jeffrey Stedfast  <f...@novell.com>

        * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
        possible buffer overflows.

The vulnerable code seems to be in gmime/gmime-utils.h, I've attached
upstream's patch for your convenience, but I did not have a deeper look
at the buffer sizes, so it is unchecked.

stable is also affected and would need to be fixed as well I guess.
Please contact the secuirty team (t...@security.debian.org), if you've
checked the patch and have packages ready for lenny.
Thanks in advance.

Cheers
Steffen


References:

[1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/
[2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes
[3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz
[4] http://secunia.com/advisories/38459/

diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/ChangeLog gmime-2.4.15/ChangeLog
--- gmime-2.4.14/ChangeLog	2010-01-30 17:28:48.000000000 +0000
+++ gmime-2.4.15/ChangeLog	2010-02-02 13:51:02.000000000 +0000
@@ -1,3 +1,16 @@
+2010-02-02  Jeffrey Stedfast  <f...@novell.com>
+
+	* README: Bumped version
+
+	* configure.in: Bumped version to 2.4.15
+
+	* build/vs2008/gmime.vcproj: Bumped version.
+
+2010-01-31  Jeffrey Stedfast  <f...@novell.com>
+
+	* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
+	possible buffer overflows.
+
 2010-01-30  Jeffrey Stedfast  <f...@novell.com>
 
 	* README: Bumped version
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/docs/reference/xml/gmime-encodings.xml gmime-2.4.15/docs/reference/xml/gmime-encodings.xml
--- gmime-2.4.14/docs/reference/xml/gmime-encodings.xml	2010-01-30 17:30:37.000000000 +0000
+++ gmime-2.4.15/docs/reference/xml/gmime-encodings.xml	2010-02-02 13:53:42.000000000 +0000
@@ -488,7 +488,7 @@
 </para></refsect2>
 <refsect2 id="GMIME-UUENCODE-LEN--CAPS" role="macro">
 <title>GMIME_UUENCODE_LEN()</title>
-<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x)      ((size_t) (((((x) + 2) / 45) * 62) + 62))
+<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x)      ((size_t) (((((x) + 2) / 45) * 62) + 64))
 </programlisting>
 <para>
 Calculates the maximum number of bytes needed to uuencode the full
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/gmime/gmime-encodings.h gmime-2.4.15/gmime/gmime-encodings.h
--- gmime-2.4.14/gmime/gmime-encodings.h	2009-04-24 02:04:47.000000000 +0000
+++ gmime-2.4.15/gmime/gmime-encodings.h	2010-02-01 13:32:53.000000000 +0000
@@ -91,7 +91,7 @@
  * Returns: the number of output bytes needed to uuencode an input
  * buffer of size @x.
  **/
-#define GMIME_UUENCODE_LEN(x)      ((size_t) (((((x) + 2) / 45) * 62) + 62))
+#define GMIME_UUENCODE_LEN(x)      ((size_t) (((((x) + 2) / 45) * 62) + 64))
 
 
 /**