[Secure-testing-team] Bug#811048: claws-mail: CVE-2015-8708: Incomplete fix for CVE-2015-8614

Thu, 14 Jan 2016 23:34:12 -0800 

Source: claws-mail
Version: 3.13.1-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for claws-mail.

CVE-2015-8708[0]:
for incomplete fix for CVE-2015-8614

I'm attaching the patch made by Ben Hutchings for his upload to
squeeze-lts.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8708

Regards,
Salvatore

From: Ben Hutchings <b...@decadent.org.uk>
Date: Tue, 12 Jan 2016 19:28:32 +0000
Subject: Adjust and comment range checks in JP text conversions
Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557

Two of the conversion functions may need more than 3 bytes to convert
the last character, so a limited buffer overrun is still possible.

Bug #3557 / CVE-2015-8708
---
--- a/src/codeconv.c
+++ b/src/codeconv.c
@@ -158,7 +158,11 @@ static gint conv_jistoeuc(gchar *outbuf,
 	gchar *out = outbuf;
 	JISState state = JIS_ASCII;
 
-	while (*in != '\0' && (out - outbuf) < outlen - 3) {
+	/*
+	 * Loop outputs up to 3 bytes in each pass (aux kanji) and we
+	 * need 1 byte to terminate the output
+	 */
+	while (*in != '\0' && (out - outbuf) < outlen - 4) {
 		if (*in == ESC) {
 			in++;
 			if (*in == '$') {
@@ -294,7 +298,12 @@ static gint conv_euctojis(gchar *outbuf,
 	gchar *out = outbuf;
 	JISState state = JIS_ASCII;
 
-	while (*in != '\0' && (out - outbuf) < outlen - 3) {
+	/*
+	 * Loop outputs up to 6 bytes in each pass (aux shift + aux
+	 * kanji) and we need up to 4 bytes to terminate the output
+	 * (ASCII shift + null)
+	 */
+	while (*in != '\0' && (out - outbuf) < outlen - 10) {
 		if (IS_ASCII(*in)) {
 			K_OUT();
 			*out++ = *in++;
@@ -382,6 +391,10 @@ static gint conv_sjistoeuc(gchar *outbuf
 	const guchar *in = inbuf;
 	gchar *out = outbuf;
 
+	/*
+	 * Loop outputs up to 2 bytes in each pass and we need 1 byte
+	 * to terminate the output
+	 */
 	while (*in != '\0' && (out - outbuf) < outlen - 3) {
 		if (IS_ASCII(*in)) {
 			*out++ = *in++;

_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

Reply via email to