Hi, the attached patch fixes this issue. It will be also archive on: http://people.debian.org/~nion/nmu-diff/sympa-5.3.4-3_5.3.4-3.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u sympa-5.3.4/debian/changelog sympa-5.3.4/debian/changelog
--- sympa-5.3.4/debian/changelog
+++ sympa-5.3.4/debian/changelog
@@ -1,3 +1,11 @@
+sympa (5.3.4-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix possible denial of service attack triggered
+ via a malformed email (CVE-2008-1648; Closes: #475163).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Fri, 11 Apr 2008 13:46:27 +0200
+
sympa (5.3.4-3) unstable; urgency=low
* LSB dependency info added to init script (Closes: #468746,
only in patch2:
unchanged:
--- sympa-5.3.4.orig/src/PlainDigest.pm
+++ sympa-5.3.4/src/PlainDigest.pm
@@ -158,6 +158,11 @@
my $topent = shift;
my $msgent = $topent->parts(0);
my $wdecode = new MIME::WordDecoder::ISO_8859 (1);
+
+ unless ($msgent) {
+ $outstring .= sprintf(gettext("----- Malformed message ignored -----\n\n"));
+ return undef;
+ }
my $from = $msgent->head->get('From');
my $subject = $msgent->head->get('Subject');
pgpO2TdZAlFzx.pgp
Description: PGP signature
