Bug 960566 – VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()

Bug 960566 - (CVE-2015-8708) VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()

(CVE-2015-8708)
Summary:	VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Atri Bhattacharya
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/160224/
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2015-8614
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-01-04 11:38 UTC by Johannes Segitz
Modified:	2016-02-28 19:08 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-04 11:38:21 UTC

rh#1295353

A stack-based buffer overflow has been found in conv_euctojis() after applying incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be '<= outlen - 9' or equivalently '< outlen - 8'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1295353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8708
http://seclists.org/oss-sec/2015/q4/612

Comment 1 Andreas Stieger 2016-01-04 11:59:36 UTC

Atri, you submitted the fix for bug 959993. Upstream sais their fix was incomplete. Do you want to handle the follow-up update?

Comment 2 Dominique Leuenberger 2016-01-04 12:09:13 UTC

http://www.openwall.com/lists/oss-security/2015/12/31/1 has some good info.

There are actually two errors introduced by the last CVE fix attempt.

The regression has already been fixed in git
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222

Seems the actual buffer overflow issue is not yet fixed in git

Comment 3 Atri Bhattacharya 2016-01-04 12:49:21 UTC

Yes, I will take this up. But, is this something one should wait on until upstream gets the fix or should I just patch it on my own?

Comment 4 Andreas Stieger 2016-01-04 13:07:14 UTC

Waiting for / working together with upstream for them to fix both the regression and the incomplete security fix is recommended. E.g. when they all have fixes in git and it is foreseeable that this will be the upstream fix.

Comment 5 Swamp Workflow Management 2016-01-04 23:00:30 UTC

bugbot adjusting priority

Comment 6 Atri Bhattacharya 2016-01-27 23:11:35 UTC

Dominique,
Could you please look and let me know if this is the final piece we need for this issue to be fixed?
http://git.claws-mail.org/?p=claws.git;a=commit;h=8b2aff884d97dcfe5cc70478fecc7c87ce023c95

Comment 7 Atri Bhattacharya 2016-02-03 15:21:57 UTC

This should do it finally hopefully:
https://build.opensuse.org/request/show/357573

I would very much appreciate if someone reviewed the patch carefully because I had to make some changes in there (e.g., guchar * -> gchar *) compared to what upstream has to get the thing compiling again. Builds were failing with the plain rebased upstream patch with errors like:
invalid inputs passed to binary operator - (guchar * and gchar *)

Comment 8 Atri Bhattacharya 2016-02-28 19:08:15 UTC

This seems to have made it to Update, e.g.
https://build.opensuse.org/package/show/openSUSE:Leap:42.1:Update/claws-mail.4646