Re: squeeze update of claws-mail?
On Wed, 30 Dec 2015 11:16:33 +0000
Ben Hutchings <firstname.lastname@example.org> wrote:
> On Wed, 2015-12-30 at 11:18 +0100, Ricardo Mones wrote:
> > Hi Ben et al,
> > On Wed, Dec 30, 2015 at 01:48:47AM +0000, Ben Hutchings wrote:
> > > Hello dear maintainer(s),
> > >
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of claws-mail:
> > > https://security-tracker.debian.org/tracker/CVE-2015-8614
> > AFAICS that CVE is missing at least two more affected packages in
> > squeeze: libsylph¹ and sylpheed², which unfortunately contains an
> > embedded code copy (ECC) of the former.
> > Both are still affected on current sid versions³⁴ and upstream⁵, not
> > sure whether that fact should be reflected on the same CVE.
> I decided they were unaffected, because the corresponding functions
> allocate their own output buffer based on the input length.
I've confirmed that Sylpheed and LibSylph are not affected.
It was fixed at Sylpheed 1.9.7 with the following change:
> * src/codeconv.[ch]
> src/html.c: made every code conversion API allocate new memory.
> This removes redundant string copy on conversion.
Hiroyuki Yamamoto <email@example.com>