Bug 960566 - (CVE-2015-8708) VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()
(CVE-2015-8708)
VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Atri Bhattacharya
Security Team bot
https://smash.suse.de/issue/160224/
:
Depends on:
Blocks: CVE-2015-8614
  Show dependency treegraph
 
Reported: 2016-01-04 11:38 UTC by Johannes Segitz
Modified: 2016-02-28 19:08 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-04 11:38:21 UTC
rh#1295353

A stack-based buffer overflow has been found in conv_euctojis() after applying incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be '<= outlen - 9' or equivalently '< outlen - 8'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1295353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8708
http://seclists.org/oss-sec/2015/q4/612
Comment 1 Andreas Stieger 2016-01-04 11:59:36 UTC
Atri, you submitted the fix for bug 959993. Upstream sais their fix was incomplete. Do you want to handle the follow-up update?
Comment 2 Dominique Leuenberger 2016-01-04 12:09:13 UTC
http://www.openwall.com/lists/oss-security/2015/12/31/1 has some good info.

There are actually two errors introduced by the last CVE fix attempt.

The regression has already been fixed in git
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222

Seems the actual buffer overflow issue is not yet fixed in git
Comment 3 Atri Bhattacharya 2016-01-04 12:49:21 UTC
Yes, I will take this up. But, is this something one should wait on until upstream gets the fix or should I just patch it on my own?
Comment 4 Andreas Stieger 2016-01-04 13:07:14 UTC
Waiting for / working together with upstream for them to fix both the regression and the incomplete security fix is recommended. E.g. when they all have fixes in git and it is foreseeable that this will be the upstream fix.
Comment 5 Swamp Workflow Management 2016-01-04 23:00:30 UTC
bugbot adjusting priority
Comment 6 Atri Bhattacharya 2016-01-27 23:11:35 UTC
Dominique,
Could you please look and let me know if this is the final piece we need for this issue to be fixed?
http://git.claws-mail.org/?p=claws.git;a=commit;h=8b2aff884d97dcfe5cc70478fecc7c87ce023c95
Comment 7 Atri Bhattacharya 2016-02-03 15:21:57 UTC
This should do it finally hopefully:
https://build.opensuse.org/request/show/357573

I would very much appreciate if someone reviewed the patch carefully because I had to make some changes in there (e.g., guchar * -> gchar *) compared to what upstream has to get the thing compiling again. Builds were failing with the plain rebased upstream patch with errors like:
invalid inputs passed to binary operator - (guchar * and gchar *)
Comment 8 Atri Bhattacharya 2016-02-28 19:08:15 UTC
This seems to have made it to Update, e.g.
https://build.opensuse.org/package/show/openSUSE:Leap:42.1:Update/claws-mail.4646