47310 – (CVE-2003-0852) VUL-0: CVE-2003-0852: sylpheed: remote exploitable format string bug

Bug 47310 (CVE-2003-0852) - VUL-0: CVE-2003-0852: sylpheed: remote exploitable format string bug

Summary: VUL-0: CVE-2003-0852: sylpheed: remote exploitable format string bug

Status:	RESOLVED FIXED

Alias:	CVE-2003-0852

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jens Oberender
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2003-0852: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2003-10-14 20:47 UTC by Thomas Biege
Modified:	2021-09-29 14:38 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
putonftp-8.2.sylpheed (166 bytes, text/plain) 2003-10-14 20:51 UTC, Thomas Biege	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2003-10-14 20:47:29 UTC

Hi, 
a remote exploitable bug was found in sylpheed. 
http://lists.insecure.org/lists/fulldisclosure/2003/May/0070.html 
 
Ptach: 
http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send_message.c?r1=1.18&r2=1.19 
 
Beside the format string bug there maybe an exploitable buffer overflow too. 
But till now it isnt public and we dont have a positiv confirmation.

Comment 1 Thomas Biege 2003-10-14 20:47:29 UTC

<!-- SBZ_reproduce  -->
quoted: 
How to reproduce: 
Create a test account with smtp server localhost:1234 
Then do: 
perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234 
Then send a message. 
Actual result - sylpheed crashes.

Comment 2 Thomas Biege 2003-10-14 20:51:04 UTC

Created attachment 14900 [details]
putonftp-8.2.sylpheed

Comment 3 Jens Oberender 2003-10-15 21:21:11 UTC

The Link of FullDisclosure was not related to Sylpheed.
The only FullDisclosure mail with Sylpheed was:
http://lists.insecure.org/lists/fulldisclosure/2003/May/0221.html
But it stated:
Sylpheed 0.8.11 (including -claws) is "vulnerable". Just a crash, don't
worry about it.

The diff is only valid for newer versions as there are only 7 occurences of
alertpanel_error_log in the Sources if the 8.2 version.

So the bug is for the current (9.0) version valid.
Is there some documentation how to fix such bugs and release a YOU update?

Comment 4 Thomas Biege 2003-10-16 18:12:01 UTC

Yes, just 9.0 and STABLE are affected. 
The following files/lines show the bug: 
	src/inc.c:              alertpanel_error_log(err_msg); 
	src/send_message.c:             alertpanel_error_log(err_msg); 
 
Please change it to: 
	alertpanel_error_log("%s", err_msg); 
 
Docu: Look at w3d.suse.de. mmj maintains a Pakaging-HowTo. 
Just add the patch to you package, update the changes file (vc), cp the whole directory 
plus the putonftp file to /work/src/done/9.0/ resp. to /work/src/done/STABLE/ , ask 
suse-dist to build your package (you may want to use distmail for it).

Comment 5 Jens Oberender 2003-10-16 22:55:04 UTC

I build the package on copied it in the locations.
I added the putonftp only to the 9.0 one, with the option p as I don't think we
x as the bug isn't severe in my eyes.
Could someone please check and accept it.

Comment 6 Thomas Biege 2003-10-17 20:23:31 UTC

Please readd the x-flag, it's absolutely needed.

Comment 7 Jens Oberender 2003-10-17 20:47:44 UTC

OK, I put it again in /work/src/done/9.0/, now with the x-flag.

Comment 8 Thomas Biege 2003-10-20 16:48:51 UTC

package approved

Comment 9 Roman Drahtmueller 2003-10-21 17:51:01 UTC

For the case that we mention it in sect 2 of some announcement: This is CVE name 
CAN-2003-0852.

R.

Comment 10 Thomas Biege 2009-10-13 19:40:18 UTC

CVE-2003-0852: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)