Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libetpan Fixes bug 862151 (CVE-2017-8825). Diff includes an update to Homepage field which was already in git since past year ;) Attached debdiff. Thanks in advance and best regards, unblock libetpan/1.6-3 -- Ricardo Mones http://people.debian.org/~mones «Exercise caution in your daily affairs.»
diff -Nru libetpan-1.6/debian/changelog libetpan-1.6/debian/changelog --- libetpan-1.6/debian/changelog 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/changelog 2017-05-30 10:16:19.000000000 +0200 @@ -1,3 +1,12 @@ +libetpan (1.6-3) unstable; urgency=high + + * patches/fix-CVE-2017-8825.diff, patches/series + - Add upstream patch to fix CVE-2017-8825 (Closes: #862151) + * control + - Homepage: point to library's own page + + -- Ricardo Mones <mo...@debian.org> Tue, 30 May 2017 10:16:19 +0200 + libetpan (1.6-2) unstable; urgency=medium * control diff -Nru libetpan-1.6/debian/control libetpan-1.6/debian/control --- libetpan-1.6/debian/control 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/control 2017-05-30 10:16:19.000000000 +0200 @@ -1,7 +1,7 @@ Source: libetpan Section: mail Priority: optional -Homepage: http://libetpan.sourceforge.net/libetpan +Homepage: http://www.etpan.org/libetpan.html Maintainer: Ricardo Mones <mo...@debian.org> Uploaders: Nikita V. Youshchenko <yo...@debian.org> Build-Depends: debhelper (>= 9), autotools-dev, libtool, libdb-dev, diff -Nru libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff --- libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 1970-01-01 01:00:00.000000000 +0100 +++ libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 2017-05-30 10:16:19.000000000 +0200 @@ -0,0 +1,39 @@ +Description: A null dereference vulnerability has been found in the MIME + handling component of LibEtPan before 1.8, as used in MailCore and + MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed + parse of a Cc header containing multiple e-mail addresses. +Author: Viet Hoa Dinh <d...@fb.com> +Origin: upstream, https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d +Bug-Debian: https://bugs.debian.org/862151 +Last-Update: 2017-05-30 + +diff --git a/src/low-level/imf/mailimf.c b/src/low-level/imf/mailimf.c +index 4554f1c..b557070 100644 +--- a/src/low-level/imf/mailimf.c ++++ b/src/low-level/imf/mailimf.c +@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, size_t length, + struct mailimf_group * group; + int r; + int res; ++ clist * list; + + cur_token = * indx; + +@@ -3110,6 +3111,17 @@ static int mailimf_group_parse(const char * message, size_t length, + res = r; + goto free_display_name; + } ++ list = clist_new(); ++ if (list == NULL) { ++ res = MAILIMF_ERROR_MEMORY; ++ goto free_display_name; ++ } ++ mailbox_list = mailimf_mailbox_list_new(list); ++ if (mailbox_list == NULL) { ++ res = MAILIMF_ERROR_MEMORY; ++ clist_free(list); ++ goto free_display_name; ++ } + break; + default: + res = r; diff -Nru libetpan-1.6/debian/patches/series libetpan-1.6/debian/patches/series --- libetpan-1.6/debian/patches/series 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/patches/series 2017-05-30 10:16:19.000000000 +0200 @@ -1 +1,2 @@ 11_use_openjade.diff +fix-CVE-2017-8825.diff