Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team, Please unblock package claws-mail to fix CVE-2010-5109 in claws-mail-tnef-parser reported as #771360. Full debdiff attached. Thanks in advance, unblock claws-mail/3.11.1-2 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-3.11.1/debian/changelog claws-mail-3.11.1/debian/changelog --- claws-mail-3.11.1/debian/changelog 2014-10-28 01:06:14.000000000 +0100 +++ claws-mail-3.11.1/debian/changelog 2014-11-29 23:11:52.000000000 +0100 @@ -1,3 +1,11 @@ +claws-mail (3.11.1-2) unstable; urgency=high + + * patches/14CVE_2010_5109.patch, patches/series + - Fix possible buffer overflow CVE-2010-5109 (Closes: #771360) + - Raised urgency because of RC security bug + + -- Ricardo Mones <mo...@debian.org> Sat, 29 Nov 2014 23:03:27 +0100 + claws-mail (3.11.1-1) unstable; urgency=medium * New upstream bugfix release diff -Nru claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch --- claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch 2014-11-29 23:11:52.000000000 +0100 @@ -0,0 +1,23 @@ +Description: Patch to fix possible buffer overflow + in TNEF parser's embedded copy of ytnef library. + Originally CVE-2010-5109 in libytnef. +Author: Petr Písař <ppi...@redhat.com> +Origin: https://bugzilla.redhat.com/show_bug.cgi?id=831322 +Acked-by: Moritz Muehlenhoff <j...@debian.org> +Bug-Debian: https://bugs.debian.org/771360 +Applied-Upstream: commit:a8df3ae48ad5732018934b378abb11a022735c5e +Last-Update: 2014-11-29 + +diff --git a/src/plugins/tnef_parse/ytnef.c b/src/plugins/tnef_parse/ytnef.c +index a2e7ed3..9184836 100644 +--- a/src/plugins/tnef_parse/ytnef.c ++++ b/src/plugins/tnef_parse/ytnef.c +@@ -1352,7 +1352,7 @@ unsigned char *DecompressRTF(variableLength *p, int *size) { + + comp_Prebuf.size = strlen(RTF_PREBUF); + comp_Prebuf.data = calloc(comp_Prebuf.size + 1, 1); +- strcpy(comp_Prebuf.data, RTF_PREBUF); ++ memcpy(comp_Prebuf.data, RTF_PREBUF, comp_Prebuf.size); + + src = p->data; + in = 0; diff -Nru claws-mail-3.11.1/debian/patches/series claws-mail-3.11.1/debian/patches/series --- claws-mail-3.11.1/debian/patches/series 2014-10-28 01:06:14.000000000 +0100 +++ claws-mail-3.11.1/debian/patches/series 2014-11-29 23:11:52.000000000 +0100 @@ -1,3 +1,4 @@ 11mark_trashed_as_read.patch 12fix_manpage_header.patch 13desktop_file_categories.patch +14CVE_2010_5109.patch