Bug 47310 (CVE-2003-0852)

Summary: VUL-0: CVE-2003-0852: sylpheed: remote exploitable format string bug
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Jens Oberender <didge>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0852: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: putonftp-8.2.sylpheed

Description Thomas Biege 2003-10-14 20:47:29 UTC 
Hi, 
a remote exploitable bug was found in sylpheed. 
http://lists.insecure.org/lists/fulldisclosure/2003/May/0070.html 
 
Ptach: 
http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send_message.c?r1=1.18&r2=1.19 
 
Beside the format string bug there maybe an exploitable buffer overflow too. 
But till now it isnt public and we dont have a positiv confirmation.
Comment 1 Thomas Biege 2003-10-14 20:47:29 UTC 
<!-- SBZ_reproduce  -->
quoted: 
How to reproduce: 
Create a test account with smtp server localhost:1234 
Then do: 
perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234 
Then send a message. 
Actual result - sylpheed crashes.
Comment 2 Thomas Biege 2003-10-14 20:51:04 UTC 
Created attachment 14900 [details]
putonftp-8.2.sylpheed
Comment 3 Jens Oberender 2003-10-15 21:21:11 UTC 
The Link of FullDisclosure was not related to Sylpheed.
The only FullDisclosure mail with Sylpheed was:
http://lists.insecure.org/lists/fulldisclosure/2003/May/0221.html
But it stated:
Sylpheed 0.8.11 (including -claws) is "vulnerable". Just a crash, don't
worry about it.

The diff is only valid for newer versions as there are only 7 occurences of
alertpanel_error_log in the Sources if the 8.2 version.

So the bug is for the current (9.0) version valid.
Is there some documentation how to fix such bugs and release a YOU update?
Comment 4 Thomas Biege 2003-10-16 18:12:01 UTC 
Yes, just 9.0 and STABLE are affected. 
The following files/lines show the bug: 
	src/inc.c:              alertpanel_error_log(err_msg); 
	src/send_message.c:             alertpanel_error_log(err_msg); 
 
Please change it to: 
	alertpanel_error_log("%s", err_msg); 
 
Docu: Look at w3d.suse.de. mmj maintains a Pakaging-HowTo. 
Just add the patch to you package, update the changes file (vc), cp the whole directory 
plus the putonftp file to /work/src/done/9.0/ resp. to /work/src/done/STABLE/ , ask 
suse-dist to build your package (you may want to use distmail for it).
Comment 5 Jens Oberender 2003-10-16 22:55:04 UTC 
I build the package on copied it in the locations.
I added the putonftp only to the 9.0 one, with the option p as I don't think we
x as the bug isn't severe in my eyes.
Could someone please check and accept it.
Comment 6 Thomas Biege 2003-10-17 20:23:31 UTC 
Please readd the x-flag, it's absolutely needed.
Comment 7 Jens Oberender 2003-10-17 20:47:44 UTC 
OK, I put it again in /work/src/done/9.0/, now with the x-flag.
Comment 8 Thomas Biege 2003-10-20 16:48:51 UTC 
package approved
Comment 9 Roman Drahtmueller 2003-10-21 17:51:01 UTC 
For the case that we mention it in sect 2 of some announcement: This is CVE name 
CAN-2003-0852.

R.
Comment 10 Thomas Biege 2009-10-13 19:40:18 UTC 
CVE-2003-0852: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)