[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863714: marked as done (unblock: libetpan/1.6-3)



Your message dated Wed, 31 May 2017 15:29:10 +0000
with message-id <E1dG5Yc-0003mp-Gq@respighi.debian.org>
and subject line unblock libetpan
has caused the Debian Bug report #863714,
regarding unblock: libetpan/1.6-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863714
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libetpan

Fixes bug 862151 (CVE-2017-8825). Diff includes an update to Homepage
field which was already in git since past year ;)

Attached debdiff. Thanks in advance and best regards,

unblock libetpan/1.6-3

-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Exercise caution in your daily affairs.»
diff -Nru libetpan-1.6/debian/changelog libetpan-1.6/debian/changelog
--- libetpan-1.6/debian/changelog	2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/changelog	2017-05-30 10:16:19.000000000 +0200
@@ -1,3 +1,12 @@
+libetpan (1.6-3) unstable; urgency=high
+
+  * patches/fix-CVE-2017-8825.diff, patches/series
+  - Add upstream patch to fix CVE-2017-8825 (Closes: #862151)
+  * control
+  - Homepage: point to library's own page
+
+ -- Ricardo Mones <mones@debian.org>  Tue, 30 May 2017 10:16:19 +0200
+
 libetpan (1.6-2) unstable; urgency=medium
 
   * control
diff -Nru libetpan-1.6/debian/control libetpan-1.6/debian/control
--- libetpan-1.6/debian/control	2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/control	2017-05-30 10:16:19.000000000 +0200
@@ -1,7 +1,7 @@
 Source: libetpan
 Section: mail
 Priority: optional
-Homepage: http://libetpan.sourceforge.net/libetpan
+Homepage: http://www.etpan.org/libetpan.html
 Maintainer: Ricardo Mones <mones@debian.org>
 Uploaders: Nikita V. Youshchenko <yoush@debian.org>
 Build-Depends: debhelper (>= 9), autotools-dev, libtool, libdb-dev,
diff -Nru libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff
--- libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff	1970-01-01 01:00:00.000000000 +0100
+++ libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff	2017-05-30 10:16:19.000000000 +0200
@@ -0,0 +1,39 @@
+Description: A null dereference vulnerability has been found in the MIME
+ handling component of LibEtPan before 1.8, as used in MailCore and
+ MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed
+ parse of a Cc header containing multiple e-mail addresses.
+Author: Viet Hoa Dinh <dvh@fb.com>
+Origin: upstream, https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
+Bug-Debian: https://bugs.debian.org/862151
+Last-Update: 2017-05-30
+
+diff --git a/src/low-level/imf/mailimf.c b/src/low-level/imf/mailimf.c
+index 4554f1c..b557070 100644
+--- a/src/low-level/imf/mailimf.c
++++ b/src/low-level/imf/mailimf.c
+@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, size_t length,
+   struct mailimf_group * group;
+   int r;
+   int res;
++  clist * list;
+ 
+   cur_token = * indx;
+ 
+@@ -3110,6 +3111,17 @@ static int mailimf_group_parse(const char * message, size_t length,
+       res = r;
+       goto free_display_name;
+     }
++    list = clist_new();
++    if (list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      goto free_display_name;
++    }
++    mailbox_list = mailimf_mailbox_list_new(list);
++    if (mailbox_list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      clist_free(list);
++      goto free_display_name;
++    }
+     break;
+   default:
+     res = r;
diff -Nru libetpan-1.6/debian/patches/series libetpan-1.6/debian/patches/series
--- libetpan-1.6/debian/patches/series	2016-10-12 23:35:06.000000000 +0200
+++ libetpan-1.6/debian/patches/series	2017-05-30 10:16:19.000000000 +0200
@@ -1 +1,2 @@
 11_use_openjade.diff
+fix-CVE-2017-8825.diff

--- End Message ---
--- Begin Message ---
Unblocked.

--- End Message ---

Reply to: