Bug 960566 - (CVE-2015-8708) VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()
VUL-0: CVE-2015-8708: claws-mail: Stack overflow in conv_euctojis()
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Atri Bhattacharya
Security Team bot
Depends on:
Blocks: CVE-2015-8614
  Show dependency treegraph
Reported: 2016-01-04 11:38 UTC by Johannes Segitz
Modified: 2016-02-28 19:08 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-04 11:38:21 UTC

A stack-based buffer overflow has been found in conv_euctojis() after applying incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be '<= outlen - 9' or equivalently '< outlen - 8'.

Comment 1 Andreas Stieger 2016-01-04 11:59:36 UTC
Atri, you submitted the fix for bug 959993. Upstream sais their fix was incomplete. Do you want to handle the follow-up update?
Comment 2 Dominique Leuenberger 2016-01-04 12:09:13 UTC
http://www.openwall.com/lists/oss-security/2015/12/31/1 has some good info.

There are actually two errors introduced by the last CVE fix attempt.

The regression has already been fixed in git

Seems the actual buffer overflow issue is not yet fixed in git
Comment 3 Atri Bhattacharya 2016-01-04 12:49:21 UTC
Yes, I will take this up. But, is this something one should wait on until upstream gets the fix or should I just patch it on my own?
Comment 4 Andreas Stieger 2016-01-04 13:07:14 UTC
Waiting for / working together with upstream for them to fix both the regression and the incomplete security fix is recommended. E.g. when they all have fixes in git and it is foreseeable that this will be the upstream fix.
Comment 5 Swamp Workflow Management 2016-01-04 23:00:30 UTC
bugbot adjusting priority
Comment 6 Atri Bhattacharya 2016-01-27 23:11:35 UTC
Could you please look and let me know if this is the final piece we need for this issue to be fixed?
Comment 7 Atri Bhattacharya 2016-02-03 15:21:57 UTC
This should do it finally hopefully:

I would very much appreciate if someone reviewed the patch carefully because I had to make some changes in there (e.g., guchar * -> gchar *) compared to what upstream has to get the thing compiling again. Builds were failing with the plain rebased upstream patch with errors like:
invalid inputs passed to binary operator - (guchar * and gchar *)
Comment 8 Atri Bhattacharya 2016-02-28 19:08:15 UTC
This seems to have made it to Update, e.g.