Public bug reported:
I found this on secunia: http://secunia.com/advisories/26550/
affected Software: Sylpheed 2.x
Sylpheed-Claws (Claws Mail) 2.x
Sylpheed-Claws 1.x
Description:
Secunia Research has discovered a vulnerability in Sylpheed and Sylpheed-Claws
(Claws Mail), which can be exploited by malicious people to compromise a
vulnerable system.
A format string error in the "inc_put_error()" function in src/inc.c
when displaying a POP3 server's error response can be exploited via
specially crafted POP3 server replies containing format specifiers.
Successful exploitation may allow execution of arbitrary code, but
requires that the user is tricked into connecting to a malicious POP3
server.
A fixed version has been released in the meanwhile:
Sylpheed 2.4.5 has been released.
This is a security fix release. All users are recommended to upgrade.
http://sylpheed.sraoss.jp/en/news.html
http://sylpheed.sraoss.jp/en/download.html
* The vulnerability that may be exploited by malicious POP3 server
was fixed.
http://secunia.com/advisories/26550/
* The potential crash bug in address completion was fixed.
* The signature separator '--' is not joined on line wrapping now.
Could you please upgrade the repos to this fix?
bye
** Affects: sylpheed (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
