Your message dated Sat, 29 Nov 2014 23:16:01 +0000
with message-id <[email protected]>
and subject line Re: Bug#771474: unblock: claws-mail/3.11.1-2
has caused the Debian Bug report #771474,
regarding unblock: claws-mail/3.11.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771474
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi Release Team,
Please unblock package claws-mail to fix CVE-2010-5109
in claws-mail-tnef-parser reported as #771360.
Full debdiff attached.
Thanks in advance,
unblock claws-mail/3.11.1-2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-3.11.1/debian/changelog claws-mail-3.11.1/debian/changelog
--- claws-mail-3.11.1/debian/changelog 2014-10-28 01:06:14.000000000 +0100
+++ claws-mail-3.11.1/debian/changelog 2014-11-29 23:11:52.000000000 +0100
@@ -1,3 +1,11 @@
+claws-mail (3.11.1-2) unstable; urgency=high
+
+ * patches/14CVE_2010_5109.patch, patches/series
+ - Fix possible buffer overflow CVE-2010-5109 (Closes: #771360)
+ - Raised urgency because of RC security bug
+
+ -- Ricardo Mones <[email protected]> Sat, 29 Nov 2014 23:03:27 +0100
+
claws-mail (3.11.1-1) unstable; urgency=medium
* New upstream bugfix release
diff -Nru claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch
--- claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch 2014-11-29 23:11:52.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Patch to fix possible buffer overflow
+ in TNEF parser's embedded copy of ytnef library.
+ Originally CVE-2010-5109 in libytnef.
+Author: Petr Písař <[email protected]>
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=831322
+Acked-by: Moritz Muehlenhoff <[email protected]>
+Bug-Debian: https://bugs.debian.org/771360
+Applied-Upstream: commit:a8df3ae48ad5732018934b378abb11a022735c5e
+Last-Update: 2014-11-29
+
+diff --git a/src/plugins/tnef_parse/ytnef.c b/src/plugins/tnef_parse/ytnef.c
+index a2e7ed3..9184836 100644
+--- a/src/plugins/tnef_parse/ytnef.c
++++ b/src/plugins/tnef_parse/ytnef.c
+@@ -1352,7 +1352,7 @@ unsigned char *DecompressRTF(variableLength *p, int *size) {
+
+ comp_Prebuf.size = strlen(RTF_PREBUF);
+ comp_Prebuf.data = calloc(comp_Prebuf.size + 1, 1);
+- strcpy(comp_Prebuf.data, RTF_PREBUF);
++ memcpy(comp_Prebuf.data, RTF_PREBUF, comp_Prebuf.size);
+
+ src = p->data;
+ in = 0;
diff -Nru claws-mail-3.11.1/debian/patches/series claws-mail-3.11.1/debian/patches/series
--- claws-mail-3.11.1/debian/patches/series 2014-10-28 01:06:14.000000000 +0100
+++ claws-mail-3.11.1/debian/patches/series 2014-11-29 23:11:52.000000000 +0100
@@ -1,3 +1,4 @@
11mark_trashed_as_read.patch
12fix_manpage_header.patch
13desktop_file_categories.patch
+14CVE_2010_5109.patch
--- End Message ---
--- Begin Message ---
On Sat, 2014-11-29 at 23:52 +0100, Ricardo Mones wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi Release Team,
>
> Please unblock package claws-mail to fix CVE-2010-5109
> in claws-mail-tnef-parser reported as #771360.
Unblocked, thanks.
Regards,
Adam
--- End Message ---
