[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 383-1] claws-mail security update

Package        : claws-mail
Version        : 3.7.6-4+squeeze2
CVE ID         : CVE-2015-8614 CVE-2015-8708

"DrWhax" of the Tails project reported that Claws Mail is missing
range checks in some text conversion functions.  A remote attacker
could exploit this to run arbitrary code under the account of a user
that receives a message from them using Claws Mail.


    There were no checks on the output length for conversions between
    JIS (ISO-2022-JP) and EUC-JP, between JIS and UTF-8, and from
    Shift_JIS to EUC-JP.


    The original fix for CVE-2015-8614 was incomplete.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 3.7.6-4+squeeze2.

For the oldstable distribution (wheezy) and the stable distribution
(jessie), this will be fixed soon.  These versions were built with
hardening features that make this issue harder to exploit.

Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: