Bug#863714: marked as done (unblock: libetpan/1.6-3)

Debian Bug Tracking System Wed, 31 May 2017 08:33:33 -0700

Your message dated Wed, 31 May 2017 15:29:10 +0000
with message-id <[email protected]>
and subject line unblock libetpan
has caused the Debian Bug report #863714,
regarding unblock: libetpan/1.6-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
863714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863714
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package libetpan

Fixes bug 862151 (CVE-2017-8825). Diff includes an update to Homepage
field which was already in git since past year ;)

Attached debdiff. Thanks in advance and best regards,

unblock libetpan/1.6-3

-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Exercise caution in your daily affairs.»

diff -Nru libetpan-1.6/debian/changelog libetpan-1.6/debian/changelog
--- libetpan-1.6/debian/changelog       2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/changelog       2017-05-30 10:16:19.000000000 +0200
@@ -1,3 +1,12 @@
+libetpan (1.6-3) unstable; urgency=high
+
+  * patches/fix-CVE-2017-8825.diff, patches/series
+  - Add upstream patch to fix CVE-2017-8825 (Closes: #862151)
+  * control
+  - Homepage: point to library's own page
+
+ -- Ricardo Mones <[email protected]>  Tue, 30 May 2017 10:16:19 +0200
+
 libetpan (1.6-2) unstable; urgency=medium
 
   * control
diff -Nru libetpan-1.6/debian/control libetpan-1.6/debian/control
--- libetpan-1.6/debian/control 2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/control 2017-05-30 10:16:19.000000000 +0200
@@ -1,7 +1,7 @@
 Source: libetpan
 Section: mail
 Priority: optional
-Homepage: http://libetpan.sourceforge.net/libetpan
+Homepage: http://www.etpan.org/libetpan.html
 Maintainer: Ricardo Mones <[email protected]>
 Uploaders: Nikita V. Youshchenko <[email protected]>
 Build-Depends: debhelper (>= 9), autotools-dev, libtool, libdb-dev,
diff -Nru libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 
libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff
--- libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff  1970-01-01 
01:00:00.000000000 +0100
+++ libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff  2017-05-30 
10:16:19.000000000 +0200
@@ -0,0 +1,39 @@
+Description: A null dereference vulnerability has been found in the MIME
+ handling component of LibEtPan before 1.8, as used in MailCore and
+ MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed
+ parse of a Cc header containing multiple e-mail addresses.
+Author: Viet Hoa Dinh <[email protected]>
+Origin: upstream, 
https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
+Bug-Debian: https://bugs.debian.org/862151
+Last-Update: 2017-05-30
+
+diff --git a/src/low-level/imf/mailimf.c b/src/low-level/imf/mailimf.c
+index 4554f1c..b557070 100644
+--- a/src/low-level/imf/mailimf.c
++++ b/src/low-level/imf/mailimf.c
+@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, 
size_t length,
+   struct mailimf_group * group;
+   int r;
+   int res;
++  clist * list;
+ 
+   cur_token = * indx;
+ 
+@@ -3110,6 +3111,17 @@ static int mailimf_group_parse(const char * message, 
size_t length,
+       res = r;
+       goto free_display_name;
+     }
++    list = clist_new();
++    if (list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      goto free_display_name;
++    }
++    mailbox_list = mailimf_mailbox_list_new(list);
++    if (mailbox_list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      clist_free(list);
++      goto free_display_name;
++    }
+     break;
+   default:
+     res = r;
diff -Nru libetpan-1.6/debian/patches/series libetpan-1.6/debian/patches/series
--- libetpan-1.6/debian/patches/series  2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/patches/series  2017-05-30 10:16:19.000000000 +0200
@@ -1 +1,2 @@
 11_use_openjade.diff
+fix-CVE-2017-8825.diff

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#863714: marked as done (unblock: libetpan/1.6-3)

Reply via email to