Bug#771474: marked as done (unblock: claws-mail/3.11.1-2)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#771474: marked as done (unblock: claws-mail/3.11.1-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 29 Nov 2014 23:18:22 +0000
Message-id: <[🔎] handler.771474.D771474.141730297121534.ackdone@bugs.debian.org>
References: <1417302961.2472.9.camel@adam-barratt.org.uk> <[🔎] 20141129225204.5687.94364.reportbug@busgosu>

Your message dated Sat, 29 Nov 2014 23:16:01 +0000
with message-id <1417302961.2472.9.camel@adam-barratt.org.uk>
and subject line Re: Bug#771474: unblock: claws-mail/3.11.1-2
has caused the Debian Bug report #771474,
regarding unblock: claws-mail/3.11.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771474
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: claws-mail/3.11.1-2
From: Ricardo Mones <mones@debian.org>
Date: Sat, 29 Nov 2014 23:52:04 +0100
Message-id: <[🔎] 20141129225204.5687.94364.reportbug@busgosu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package claws-mail to fix CVE-2010-5109
in claws-mail-tnef-parser reported as #771360.

Full debdiff attached.

Thanks in advance,

unblock claws-mail/3.11.1-2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru claws-mail-3.11.1/debian/changelog claws-mail-3.11.1/debian/changelog
--- claws-mail-3.11.1/debian/changelog	2014-10-28 01:06:14.000000000 +0100
+++ claws-mail-3.11.1/debian/changelog	2014-11-29 23:11:52.000000000 +0100
@@ -1,3 +1,11 @@
+claws-mail (3.11.1-2) unstable; urgency=high
+
+  * patches/14CVE_2010_5109.patch, patches/series
+  - Fix possible buffer overflow CVE-2010-5109 (Closes: #771360)
+  - Raised urgency because of RC security bug
+
+ -- Ricardo Mones <mones@debian.org>  Sat, 29 Nov 2014 23:03:27 +0100
+
 claws-mail (3.11.1-1) unstable; urgency=medium
 
   * New upstream bugfix release
diff -Nru claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch
--- claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.11.1/debian/patches/14CVE_2010_5109.patch	2014-11-29 23:11:52.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Patch to fix possible buffer overflow
+ in TNEF parser's embedded copy of ytnef library.
+ Originally CVE-2010-5109 in libytnef.
+Author: Petr Písař <ppisar@redhat.com>
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=831322
+Acked-by: Moritz Muehlenhoff <jmm@debian.org>
+Bug-Debian: https://bugs.debian.org/771360
+Applied-Upstream: commit:a8df3ae48ad5732018934b378abb11a022735c5e
+Last-Update: 2014-11-29
+
+diff --git a/src/plugins/tnef_parse/ytnef.c b/src/plugins/tnef_parse/ytnef.c
+index a2e7ed3..9184836 100644
+--- a/src/plugins/tnef_parse/ytnef.c
++++ b/src/plugins/tnef_parse/ytnef.c
+@@ -1352,7 +1352,7 @@ unsigned char *DecompressRTF(variableLength *p, int *size) {
+ 
+     comp_Prebuf.size = strlen(RTF_PREBUF);
+     comp_Prebuf.data = calloc(comp_Prebuf.size + 1, 1);
+-    strcpy(comp_Prebuf.data, RTF_PREBUF);
++    memcpy(comp_Prebuf.data, RTF_PREBUF, comp_Prebuf.size);
+ 
+     src = p->data;
+     in = 0;
diff -Nru claws-mail-3.11.1/debian/patches/series claws-mail-3.11.1/debian/patches/series
--- claws-mail-3.11.1/debian/patches/series	2014-10-28 01:06:14.000000000 +0100
+++ claws-mail-3.11.1/debian/patches/series	2014-11-29 23:11:52.000000000 +0100
@@ -1,3 +1,4 @@
 11mark_trashed_as_read.patch
 12fix_manpage_header.patch
 13desktop_file_categories.patch
+14CVE_2010_5109.patch

--- End Message ---

--- Begin Message ---

To: Ricardo Mones <mones@debian.org>, 771474-done@bugs.debian.org

Subject: Re: Bug#771474: unblock: claws-mail/3.11.1-2

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 29 Nov 2014 23:16:01 +0000

Message-id: <1417302961.2472.9.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20141129225204.5687.94364.reportbug@busgosu>

References: <[🔎] 20141129225204.5687.94364.reportbug@busgosu>
On Sat, 2014-11-29 at 23:52 +0100, Ricardo Mones wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi Release Team,
> 
> Please unblock package claws-mail to fix CVE-2010-5109
> in claws-mail-tnef-parser reported as #771360.

Unblocked, thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#771474: unblock: claws-mail/3.11.1-2
  - From: Ricardo Mones <mones@debian.org>

Prev by Date: Processed: tagging 771360, block 771360 with 771474
Next by Date: Bug#771426: marked as done (unblock: ifupdown/0.7.50)
Previous by thread: Bug#771474: unblock: claws-mail/3.11.1-2
Next by thread: Processed: tagging 771360, block 771360 with 771474
Index(es):
- Date
- Thread