yamal was right the bugfix is really simple just this patch file is such big^^ sorry for that but I never had to do with these patch files..
I could track it down in a few minutes. I downloaded the sources of 2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is burried: $diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c 1367c1367 < alertpanel_error(err_msg); --- > alertpanel_error("%s", err_msg); a brighter look at the code: if (err_msg) { alertpanel_error(err_msg); g_free(err_msg); } has been changed to if (err_msg) { alertpanel_error("%s", err_msg); g_free(err_msg); } Now I downloaded here: http://packages.ubuntu.com/feisty/mail/sylpheed the sylpheed_2.3.1.orig.tar.gz and looked there and found exactly the same misstake in this inc.c. Into err_msg , formatstrings can be injected and through that code can be executed. The fixed version solves that by formatting the err_msg input before. So line 1252 in inc.c needs to be changed to: alertpanel_error("%s", err_msg); But what now? In this repos directory there is also a http://archive.ubuntu.com/ubuntu/pool/universe/s/sylpheed/sylpheed_2.3.1-1~ubuntu1.diff.gz, what should I do with it? And what are debdiffs? So I know how to patch the sourcecode but what should I do now? I can also fix the just crashbug in addr_compl.c. Line 340 needs to be changed from address = g_strdup_printf(p->address); to address = g_strdup(p->address); , but do you at all want to have this patched? greets -- Sylpheed POP3 Format String Vulnerability https://bugs.launchpad.net/bugs/136302 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs