Source: claws-mail Version: 3.13.1-1 Severity: important Tags: security upstream patch
Hi, the following vulnerability was published for claws-mail. CVE-2015-8708[0]: for incomplete fix for CVE-2015-8614 I'm attaching the patch made by Ben Hutchings for his upload to squeeze-lts. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-8708 Regards, Salvatore
From: Ben Hutchings <b...@decadent.org.uk> Date: Tue, 12 Jan 2016 19:28:32 +0000 Subject: Adjust and comment range checks in JP text conversions Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 Two of the conversion functions may need more than 3 bytes to convert the last character, so a limited buffer overrun is still possible. Bug #3557 / CVE-2015-8708 --- --- a/src/codeconv.c +++ b/src/codeconv.c @@ -158,7 +158,11 @@ static gint conv_jistoeuc(gchar *outbuf, gchar *out = outbuf; JISState state = JIS_ASCII; - while (*in != '\0' && (out - outbuf) < outlen - 3) { + /* + * Loop outputs up to 3 bytes in each pass (aux kanji) and we + * need 1 byte to terminate the output + */ + while (*in != '\0' && (out - outbuf) < outlen - 4) { if (*in == ESC) { in++; if (*in == '$') { @@ -294,7 +298,12 @@ static gint conv_euctojis(gchar *outbuf, gchar *out = outbuf; JISState state = JIS_ASCII; - while (*in != '\0' && (out - outbuf) < outlen - 3) { + /* + * Loop outputs up to 6 bytes in each pass (aux shift + aux + * kanji) and we need up to 4 bytes to terminate the output + * (ASCII shift + null) + */ + while (*in != '\0' && (out - outbuf) < outlen - 10) { if (IS_ASCII(*in)) { K_OUT(); *out++ = *in++; @@ -382,6 +391,10 @@ static gint conv_sjistoeuc(gchar *outbuf const guchar *in = inbuf; gchar *out = outbuf; + /* + * Loop outputs up to 2 bytes in each pass and we need 1 byte + * to terminate the output + */ while (*in != '\0' && (out - outbuf) < outlen - 3) { if (IS_ASCII(*in)) { *out++ = *in++;
_______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team