Your message dated Sat, 16 May 2026 10:34:02 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1130176,
regarding trixie-pu: package sylpheed/3.8.0~beta1-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130176
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:sylpheed
User: [email protected]
Usertags: pu
[ Reason ]
CVE-2021-37746
[ Impact ]
The user may click a link that is represented differently in the email viewer.
[ Tests ]
Just build-tested.
[ Risks ]
Code is trivial and in claws-mail for a while.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
The link checker protects against more cases where the link target and
HTML representation differ, which might be malicious.
[ Other info ]
This is a non-maintainer upload. The package is gone from unstable so
cannot be fixed there upfront.
diff -Nru sylpheed-3.8.0~beta1/debian/changelog
sylpheed-3.8.0~beta1/debian/changelog
--- sylpheed-3.8.0~beta1/debian/changelog 2024-08-12 17:08:26.000000000
+0200
+++ sylpheed-3.8.0~beta1/debian/changelog 2026-03-09 17:43:38.000000000
+0100
@@ -1,3 +1,10 @@
+sylpheed (3.8.0~beta1-2+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload
+ * Add link check to address CVE-2021-37746 (backport from claws-mail)
+
+ -- Bastian Germann <[email protected]> Mon, 09 Mar 2026 17:43:38 +0100
+
sylpheed (3.8.0~beta1-2) unstable; urgency=high
* Add patch to fix FTBFS with GCC 14 (Closes: #1075546)
diff -Nru sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch
sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch
--- sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch 1970-01-01
01:00:00.000000000 +0100
+++ sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch 2026-03-09
17:43:38.000000000 +0100
@@ -0,0 +1,32 @@
+Origin: backport,
https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431
+From: Paul <[email protected]>
+Date: Sun, 23 May 2021 12:16:40 +0100
+Subject: harden link checker before accepting click
+
+---
+ src/textview.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/textview.c b/src/textview.c
+index e55eea9..0ec9f8e 100644
+--- a/src/textview.c
++++ b/src/textview.c
+@@ -2689,7 +2689,7 @@ static gboolean textview_uri_security_check(TextView
*textview, RemoteURI *uri)
+ gboolean retval = TRUE;
+
+ if (is_uri_string(uri->uri) == FALSE)
+- return TRUE;
++ return FALSE;
+
+ buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(textview->text));
+ gtk_text_buffer_get_iter_at_offset(buffer, &start_iter, uri->start);
+@@ -2725,6 +2725,9 @@ static gboolean textview_uri_security_check(TextView
*textview, RemoteURI *uri)
+ if (aval == G_ALERTDEFAULT)
+ retval = TRUE;
+ }
++ if (strlen(uri->uri) > get_uri_len(uri->uri))
++ retval = FALSE;
++
+
+ g_free(visible_str);
+
diff -Nru sylpheed-3.8.0~beta1/debian/patches/series
sylpheed-3.8.0~beta1/debian/patches/series
--- sylpheed-3.8.0~beta1/debian/patches/series 2024-08-12 17:08:26.000000000
+0200
+++ sylpheed-3.8.0~beta1/debian/patches/series 2026-03-09 17:43:38.000000000
+0100
@@ -11,3 +11,4 @@
0011-update-.desktop-entry-for-newest-desktop-entry-spec.patch
0012-fix-typo-import.patch
0013-fix-FTBFS-GCC-14.patch
+CVE-2021-37746.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
