Bug#863714: unblock: libetpan/1.6-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libetpan
Fixes bug 862151 (CVE-2017-8825). Diff includes an update to Homepage
field which was already in git since past year ;)
Attached debdiff. Thanks in advance and best regards,
unblock libetpan/1.6-3
--
Ricardo Mones
http://people.debian.org/~mones
«Exercise caution in your daily affairs.»
diff -Nru libetpan-1.6/debian/changelog libetpan-1.6/debian/changelog
--- libetpan-1.6/debian/changelog 2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/changelog 2017-05-30 10:16:19.000000000 +0200
@@ -1,3 +1,12 @@
+libetpan (1.6-3) unstable; urgency=high
+
+ * patches/fix-CVE-2017-8825.diff, patches/series
+ - Add upstream patch to fix CVE-2017-8825 (Closes: #862151)
+ * control
+ - Homepage: point to library's own page
+
+ -- Ricardo Mones <mones@debian.org> Tue, 30 May 2017 10:16:19 +0200
+
libetpan (1.6-2) unstable; urgency=medium
* control
diff -Nru libetpan-1.6/debian/control libetpan-1.6/debian/control
--- libetpan-1.6/debian/control 2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/control 2017-05-30 10:16:19.000000000 +0200
@@ -1,7 +1,7 @@
Source: libetpan
Section: mail
Priority: optional
-Homepage: http://libetpan.sourceforge.net/libetpan
+Homepage: http://www.etpan.org/libetpan.html
Maintainer: Ricardo Mones <mones@debian.org>
Uploaders: Nikita V. Youshchenko <yoush@debian.org>
Build-Depends: debhelper (>= 9), autotools-dev, libtool, libdb-dev,
diff -Nru libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff
--- libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 1970-01-01 01:00:00.000000000 +0100
+++ libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 2017-05-30 10:16:19.000000000 +0200
@@ -0,0 +1,39 @@
+Description: A null dereference vulnerability has been found in the MIME
+ handling component of LibEtPan before 1.8, as used in MailCore and
+ MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed
+ parse of a Cc header containing multiple e-mail addresses.
+Author: Viet Hoa Dinh <dvh@fb.com>
+Origin: upstream, https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
+Bug-Debian: https://bugs.debian.org/862151
+Last-Update: 2017-05-30
+
+diff --git a/src/low-level/imf/mailimf.c b/src/low-level/imf/mailimf.c
+index 4554f1c..b557070 100644
+--- a/src/low-level/imf/mailimf.c
++++ b/src/low-level/imf/mailimf.c
+@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, size_t length,
+ struct mailimf_group * group;
+ int r;
+ int res;
++ clist * list;
+
+ cur_token = * indx;
+
+@@ -3110,6 +3111,17 @@ static int mailimf_group_parse(const char * message, size_t length,
+ res = r;
+ goto free_display_name;
+ }
++ list = clist_new();
++ if (list == NULL) {
++ res = MAILIMF_ERROR_MEMORY;
++ goto free_display_name;
++ }
++ mailbox_list = mailimf_mailbox_list_new(list);
++ if (mailbox_list == NULL) {
++ res = MAILIMF_ERROR_MEMORY;
++ clist_free(list);
++ goto free_display_name;
++ }
+ break;
+ default:
+ res = r;
diff -Nru libetpan-1.6/debian/patches/series libetpan-1.6/debian/patches/series
--- libetpan-1.6/debian/patches/series 2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/patches/series 2017-05-30 10:16:19.000000000 +0200
@@ -1 +1,2 @@
11_use_openjade.diff
+fix-CVE-2017-8825.diff
Reply to: