Public bug reported: I found this on secunia: http://secunia.com/advisories/26550/
affected Software: Sylpheed 2.x Sylpheed-Claws (Claws Mail) 2.x Sylpheed-Claws 1.x Description: Secunia Research has discovered a vulnerability in Sylpheed and Sylpheed-Claws (Claws Mail), which can be exploited by malicious people to compromise a vulnerable system. A format string error in the "inc_put_error()" function in src/inc.c when displaying a POP3 server's error response can be exploited via specially crafted POP3 server replies containing format specifiers. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server. A fixed version has been released in the meanwhile: Sylpheed 2.4.5 has been released. This is a security fix release. All users are recommended to upgrade. http://sylpheed.sraoss.jp/en/news.html http://sylpheed.sraoss.jp/en/download.html * The vulnerability that may be exploited by malicious POP3 server was fixed. http://secunia.com/advisories/26550/ * The potential crash bug in address completion was fixed. * The signature separator '--' is not joined on line wrapping now. Could you please upgrade the repos to this fix? bye ** Affects: sylpheed (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- Sylpheed POP3 Format String Vulnerability https://bugs.launchpad.net/bugs/136302 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs