Hi Moritz, On Mon, May 29, 2017 at 11:22:25PM +0200, Moritz Muehlenhoff wrote: > On Tue, May 09, 2017 at 08:04:58AM +0200, Salvatore Bonaccorso wrote: > > Source: libetpan > > Version: 1.6-2 > > Severity: important > > Tags: upstream patch security > > Forwarded: https://github.com/dinhviethoa/libetpan/issues/274 > > > > Hi, > > > > the following vulnerability was published for libetpan. > > > > CVE-2017-8825[0]: > > | A null dereference vulnerability has been found in the MIME handling > > | component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A > > | crash can occur in low-level/imf/mailimf.c during a failed parse of a > > | Cc header containing multiple e-mail addresses. > > What's the status, can you please upload a fix prior to the stretch > release?
Well, sure, I've prepared one, attached debdiff. Should I ping the release team for this or is it good enough for upload? regards, -- Ricardo Mones ~ Never send a human to do a machine's job. Agent Smith
diff -Nru libetpan-1.6/debian/changelog libetpan-1.6/debian/changelog --- libetpan-1.6/debian/changelog 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/changelog 2017-05-30 10:16:19.000000000 +0200 @@ -1,3 +1,12 @@ +libetpan (1.6-3) unstable; urgency=high + + * patches/fix-CVE-2017-8825.diff, patches/series + - Add upstream patch to fix CVE-2017-8825 (Closes: #862151) + * control + - Homepage: point to library's own page + + -- Ricardo Mones <mo...@debian.org> Tue, 30 May 2017 10:16:19 +0200 + libetpan (1.6-2) unstable; urgency=medium * control diff -Nru libetpan-1.6/debian/control libetpan-1.6/debian/control --- libetpan-1.6/debian/control 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/control 2017-05-30 10:16:19.000000000 +0200 @@ -1,7 +1,7 @@ Source: libetpan Section: mail Priority: optional -Homepage: http://libetpan.sourceforge.net/libetpan +Homepage: http://www.etpan.org/libetpan.html Maintainer: Ricardo Mones <mo...@debian.org> Uploaders: Nikita V. Youshchenko <yo...@debian.org> Build-Depends: debhelper (>= 9), autotools-dev, libtool, libdb-dev, diff -Nru libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff --- libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 1970-01-01 01:00:00.000000000 +0100 +++ libetpan-1.6/debian/patches/fix-CVE-2017-8825.diff 2017-05-30 10:16:19.000000000 +0200 @@ -0,0 +1,39 @@ +Description: A null dereference vulnerability has been found in the MIME + handling component of LibEtPan before 1.8, as used in MailCore and + MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed + parse of a Cc header containing multiple e-mail addresses. +Author: Viet Hoa Dinh <d...@fb.com> +Origin: upstream, https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d +Bug-Debian: https://bugs.debian.org/862151 +Last-Update: 2017-05-30 + +diff --git a/src/low-level/imf/mailimf.c b/src/low-level/imf/mailimf.c +index 4554f1c..b557070 100644 +--- a/src/low-level/imf/mailimf.c ++++ b/src/low-level/imf/mailimf.c +@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, size_t length, + struct mailimf_group * group; + int r; + int res; ++ clist * list; + + cur_token = * indx; + +@@ -3110,6 +3111,17 @@ static int mailimf_group_parse(const char * message, size_t length, + res = r; + goto free_display_name; + } ++ list = clist_new(); ++ if (list == NULL) { ++ res = MAILIMF_ERROR_MEMORY; ++ goto free_display_name; ++ } ++ mailbox_list = mailimf_mailbox_list_new(list); ++ if (mailbox_list == NULL) { ++ res = MAILIMF_ERROR_MEMORY; ++ clist_free(list); ++ goto free_display_name; ++ } + break; + default: + res = r; diff -Nru libetpan-1.6/debian/patches/series libetpan-1.6/debian/patches/series --- libetpan-1.6/debian/patches/series 2016-10-12 23:35:06.000000000 +0200 +++ libetpan-1.6/debian/patches/series 2017-05-30 10:16:19.000000000 +0200 @@ -1 +1,2 @@ 11_use_openjade.diff +fix-CVE-2017-8825.diff
signature.asc
Description: PGP signature
