yamal was right the bugfix is really simple just this patch file is such
big^^ sorry for that but I never had to do with these patch files..
I could track it down in a few minutes. I downloaded the sources of
2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is
burried:
$diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c
1367c1367
< alertpanel_error(err_msg);
---
> alertpanel_error("%s", err_msg);
a brighter look at the code:
if (err_msg) {
alertpanel_error(err_msg);
g_free(err_msg);
}
has been changed to
if (err_msg) {
alertpanel_error("%s", err_msg);
g_free(err_msg);
}
Now I downloaded here: http://packages.ubuntu.com/feisty/mail/sylpheed
the sylpheed_2.3.1.orig.tar.gz and looked there and found exactly the
same misstake in this inc.c. Into err_msg , formatstrings can be
injected and through that code can be executed. The fixed version solves
that by formatting the err_msg input before.
So line 1252 in inc.c needs to be changed to: alertpanel_error("%s",
err_msg);
But what now? In this repos directory there is also a
http://archive.ubuntu.com/ubuntu/pool/universe/s/sylpheed/sylpheed_2.3.1-1~ubuntu1.diff.gz,
what should I do with it? And what are debdiffs? So I know how to patch the
sourcecode but what should I do now?
I can also fix the just crashbug in addr_compl.c. Line 340 needs to be
changed from address = g_strdup_printf(p->address); to address =
g_strdup(p->address); , but do you at all want to have this patched?
greets
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
