Bugzilla – Bug 72801
VUL-0: CVE-2005-0667: "buffer overflow" in sylpheed
Last modified: 2021-11-10 14:46:28 UTC
The weakness was discovered by the version of 1.0.2 or less of sylpheed. # Fix in 1.0.3(Stable version) of sylpheed. It is strongly recommended to make it to 1.0.3 or more. Please refer to following URL: http://sylpheed.good-day.net/index.cgi.en I think that the same weakness exists though I checked sylpheed-claws-0.9.12-3.1.src.rpm(SUSE 9.2). # I think that SUSE9.1, SUSE9.0, SUSE8.2, and SUSE8.1 are influenced.
*** Bug 72803 has been marked as a duplicate of this bug. ***
Sorry, it's my fault. When I push the button of reload on a webbrowser, it has been doubly made.
This weakness exists in the following files. (sylpheed-claws-0.9.12-3.1.src.rpm) # src/codeconv.c, src/codeconv.h, src/compose.c, src/procmime.c $ cd /usr/src/packages/BUILD/sylpheed-claws-0.9.12/src; $ grep conv_unmime_header_overwrite *; codeconv.c:void conv_unmime_header_overwrite(gchar *str) codeconv.h:void conv_unmime_header_overwrite (gchar *str); compose.c: conv_unmime_header_overwrite(hentry[H_REPLY_TO].body); compose.c: conv_unmime_header_overwrite(hentry[H_CC].body); compose.c: conv_unmime_header_overwrite(hentry[H_BCC].body); compose.c: conv_unmime_header_overwrite(hentry[H_NEWSGROUPS].body); compose.c: conv_unmime_header_overwrite(hentry[H_FOLLOWUP_TO].body); procmime.c: conv_unmime_header_overwrite(hentry[0].body); procmime.c: conv_unmime_header_overwrite(hentry[2].body); procmime.c: conv_unmime_header_overwrite(hentry[4].body); procmime.c: conv_unmime_header_overwrite(hentry[0].body); procmime.c: conv_unmime_header_overwrite(hentry[2].body); procmime.c: conv_unmime_header_overwrite(hentry[4].body); P.S. The conv_unmime_header_overwrite() is not used in sylpheed-claws-1.0.3(source code). # fixed in sylpheed-claws-1.0.3
Jens please respond. This is a serious vulnerability. CAN-2005-0667
Mads I'll reassign to you, we need someone to take care of that package.
So, security-team. I'll do the update for 9.3, so we ship a fixed one. But you have to help me with the updates for older dists.
Ok, 1.0.3 is now in 9.3.
I'll make the patches.
Hendrik Norman Vogelsang will do the 8.2 -> 9.2 updates. At least there's no SLES updates.
> Do you have a testcase for me to trigger the bug? Put the following string to Reply-To: header of a message, and try to reply to it. =?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5 +vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?= It only occurs at the multi-byte locale encodings such as EUC-JP or UTF-8. So try with LANG=en_US.UTF-8 etc.
Created attachment 32650 [details] sylpheed-claws-0.9.12-mimedecoding-sec.diff used this patch to test a 9.2 package as described above. sylpheed does not crash.
Uhm, messed up the testcase. Patch still does not fix the problem.
mail -R "=?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?=" -s "test" <test account>
Created attachment 32677 [details] sylpheed-claws-0.9.12-mimedecoding-sec.diff this one looks better
talked with the author. there seem to be other bugs (he released 1.0.4) but the 9.2 patch fixed them already. I'll verify this today. My 9.2 patch seems to remove the last char.. will check this too. Can we update sylpheed to 1.0.4 on 9.3?
Created attachment 32741 [details] sylpheed-claws-0.9.12-mimedecoding-sec.diff this is the (stripped) official patch from the author. difference: - fix in procmime.c that seems useless (just copies one more byte) - even copy limited amount of chars into outp of unmime_header() even if the complete amount of chars do no fit some patch code just is for newer version (like smtp.c) open issue: verify procmime patches
Better use the authors patch... it does take more care about converted chars. :)
Testcase: - send mail echo "reply to me" | mail -R "=?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl 5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?=" -s "test" <test account> - open shell - do "export LANG=en_US.UTF-8" - start sylpheed in shell - receive this mail - click "reply"
please have a look at <= 9.0. the hunk for src/procmime.c fails. it is handled different there.
I will have a look tomorrow.
Created attachment 32961 [details] sylpheed-claws-0.9.12-mimedecoding-sec2.diff merged diff for > 9.0
Created attachment 32965 [details] sylpheed-0.9.4claws-mimedecoding-sec.diff untested
Created attachment 32969 [details] sylpheed-0.8.10claws-mimedecoding-sec.diff untested
sorry in 9.1 procmime.c is also totally different.
Created attachment 32979 [details] sylpheed-claws-0.9.10-mimedecoding-sec.diff untested
submitted
thx
SM-Tracker-813
swamp id canceled b/c of box-only package
sylpheed.patch.box sylpheed-claws.patch.box
note that box patchinfos need valid running swampids too. i have reinstated the old one.
We still need packages for SL9.3...
erm no. see comment #9 mmj you did update 9.3 or?
only partially up to 1.0.3 ... more fixes were added after that...
Yes, I updatged it to 1.0.3, but didn't add any subsequent things. It got in after RC1
This is not even my package. I only did that update to help out--I don't want to get stuck with this shit now.
Reassigned to Hendrik.
The actual maintainer obviously doesn't care. If noone else wants to take sylpheed we should drop it so we finally get rid of it in two years.
hm did anyone ask the maintainer? i dont see him included here...
Created attachment 33475 [details] patch for the missing hunks to unmime.{c,h}, codeconv.c
checked in
updated packages released, thanks!
CVE-2005-0667: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)