Hello, On Wed, 30 Dec 2015 11:16:33 +0000 Ben Hutchings <b...@debian.org> wrote:
> On Wed, 2015-12-30 at 11:18 +0100, Ricardo Mones wrote: > > Hi Ben et al, > > > > On Wed, Dec 30, 2015 at 01:48:47AM +0000, Ben Hutchings wrote: > > > Hello dear maintainer(s), > > > > > > the Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of claws-mail: > > > https://security-tracker.debian.org/tracker/CVE-2015-8614 > > > > AFAICS that CVE is missing at least two more affected packages in > > squeeze: libsylph¹ and sylpheed², which unfortunately contains an > > embedded code copy (ECC) of the former. > > > > Both are still affected on current sid versions³⁴ and upstream⁵, not > > sure whether that fact should be reflected on the same CVE. > [...] > > I decided they were unaffected, because the corresponding functions > allocate their own output buffer based on the input length. I've confirmed that Sylpheed and LibSylph are not affected. It was fixed at Sylpheed 1.9.7 with the following change: > 2005-03-17 > > * src/codeconv.[ch] > src/textview.c > src/unmime.c > src/procheader.c > src/sourcewindow.c > src/rfc2015.c > src/html.c: made every code conversion API allocate new memory. > This removes redundant string copy on conversion. -- Hiroyuki Yamamoto <hir...@kcn.ne.jp>