Bug#568291: possible buffer overflows
On Fri, Jun 04, 2010 at 10:04:22PM +0200, Emilio Pozuelo Monfort wrote: On 04/06/10 19:37, Moritz Muehlenhoff wrote: Do GNOME maintainers plan to include gmime2.2 in Squeeze or will it dropped in favour of gmime2.4? I've dropped the Mono bindings in our svn. The C library still has four reverse dependencies. All of them have bug reports for months, but nobody has looked at them yet. I'd love to get it out of Squeeze, but somebody will need to look at them. See #549054, #549056, #549057, #549058. Since we'll likeÃly still keep these packages for Squeeze (but should raise them to RC after release), I'll upload a fix soon. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568291: possible buffer overflows
On Thu, Feb 04, 2010 at 12:52:06PM +0100, Steffen Joeris wrote: Hi Mirco Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Upstream contacted me already and said that gmime2.2 is not affected, only gmime2.4 is. I have my doubts about this. Looking at gmime/gmime-utils.h we're having the same declaration for GMIME_UUENCODE_LEN that was declared vulnerable. For gmime2.2, GMIME_UUENCODE_LEN is used by g_mime_filter_set_size() in filter_filter(). The latter is also taking a size_t, so I'd suspect that it should be possible to overflow this as well? Note that I have not dived deeper into the code, but a short talk with RedHat revealed that fedora seems to be pushing updates for gmime2.2. Could you please have a look at it and clarify things? Upstream's patch seems to increase the buffer by 2, I am not sure where their buffer calculation comes from, could you please double check that as well? What's the status? Do GNOME maintainers plan to include gmime2.2 in Squeeze or will it dropped in favour of gmime2.4? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568291: possible buffer overflows
On 04/06/10 19:37, Moritz Muehlenhoff wrote: Do GNOME maintainers plan to include gmime2.2 in Squeeze or will it dropped in favour of gmime2.4? I've dropped the Mono bindings in our svn. The C library still has four reverse dependencies. All of them have bug reports for months, but nobody has looked at them yet. I'd love to get it out of Squeeze, but somebody will need to look at them. See #549054, #549056, #549057, #549058. Cheers, Emilio -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568291: possible buffer overflows
Hi Mirco Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Upstream contacted me already and said that gmime2.2 is not affected, only gmime2.4 is. I have my doubts about this. Looking at gmime/gmime-utils.h we're having the same declaration for GMIME_UUENCODE_LEN that was declared vulnerable. For gmime2.2, GMIME_UUENCODE_LEN is used by g_mime_filter_set_size() in filter_filter(). The latter is also taking a size_t, so I'd suspect that it should be possible to overflow this as well? Note that I have not dived deeper into the code, but a short talk with RedHat revealed that fedora seems to be pushing updates for gmime2.2. Could you please have a look at it and clarify things? Upstream's patch seems to increase the buffer by 2, I am not sure where their buffer calculation comes from, could you please double check that as well? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#568291: possible buffer overflows
Package: libgmime-2.0-2a Severity: grave Tags: security patch Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Thanks in advance. Cheers Steffen References: [1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/ [2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes [3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz [4] http://secunia.com/advisories/38459/ diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/ChangeLog gmime-2.4.15/ChangeLog --- gmime-2.4.14/ChangeLog 2010-01-30 17:28:48.0 + +++ gmime-2.4.15/ChangeLog 2010-02-02 13:51:02.0 + @@ -1,3 +1,16 @@ +2010-02-02 Jeffrey Stedfast f...@novell.com + + * README: Bumped version + + * configure.in: Bumped version to 2.4.15 + + * build/vs2008/gmime.vcproj: Bumped version. + +2010-01-31 Jeffrey Stedfast f...@novell.com + + * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent + possible buffer overflows. + 2010-01-30 Jeffrey Stedfast f...@novell.com * README: Bumped version diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/docs/reference/xml/gmime-encodings.xml gmime-2.4.15/docs/reference/xml/gmime-encodings.xml --- gmime-2.4.14/docs/reference/xml/gmime-encodings.xml 2010-01-30 17:30:37.0 + +++ gmime-2.4.15/docs/reference/xml/gmime-encodings.xml 2010-02-02 13:53:42.0 + @@ -488,7 +488,7 @@ /para/refsect2 refsect2 id=GMIME-UUENCODE-LEN--CAPS role=macro titleGMIME_UUENCODE_LEN()/title -indexterm zone=GMIME-UUENCODE-LEN--CAPSprimary sortas=GMIME_UUENCODE_LENGMIME_UUENCODE_LEN/primary/indextermprogramlisting#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 62)) +indexterm zone=GMIME-UUENCODE-LEN--CAPSprimary sortas=GMIME_UUENCODE_LENGMIME_UUENCODE_LEN/primary/indextermprogramlisting#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 64)) /programlisting para Calculates the maximum number of bytes needed to uuencode the full diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/gmime/gmime-encodings.h gmime-2.4.15/gmime/gmime-encodings.h --- gmime-2.4.14/gmime/gmime-encodings.h 2009-04-24 02:04:47.0 + +++ gmime-2.4.15/gmime/gmime-encodings.h 2010-02-01 13:32:53.0 + @@ -91,7 +91,7 @@ * Returns: the number of output bytes needed to uuencode an input * buffer of size @x. **/ -#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 62)) +#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 64)) /**
Bug#568291: possible buffer overflows
On Wed, 03 Feb 2010 18:12:45 +0100 Steffen Joeris steffen.joe...@skolelinux.de wrote: Package: libgmime-2.0-2a Severity: grave Tags: security patch Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Upstream contacted me already and said that gmime2.2 is not affected, only gmime2.4 is. Thanks in advance. Thanks for having on eye on this! Cheers Steffen References: [1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/ [2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes [3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz [4] http://secunia.com/advisories/38459/ -- Regards, Mirco 'meebey' Bauer PGP-Key ID: 0xEEF946C8 FOSS Developermee...@meebey.net http://www.meebey.net/ PEAR Developermee...@php.net http://pear.php.net/ Debian Developer mee...@debian.org http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org