On Wed, 03 Feb 2010 18:12:45 +0100 Steffen Joeris <steffen.joe...@skolelinux.de> wrote:
> Package: libgmime-2.0-2a > Severity: grave > Tags: security patch > > Hi > > GMime upstream has released latest 2.4.15 [1] version of the > library fixing one security issue. From 2.4.15-changes [2] file: > > 2010-01-31 Jeffrey Stedfast <f...@novell.com> > > * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to > prevent possible buffer overflows. > > The vulnerable code seems to be in gmime/gmime-utils.h, I've attached > upstream's patch for your convenience, but I did not have a deeper > look at the buffer sizes, so it is unchecked. > > stable is also affected and would need to be fixed as well I guess. > Please contact the secuirty team (t...@security.debian.org), if you've > checked the patch and have packages ready for lenny. Upstream contacted me already and said that gmime2.2 is not affected, only gmime2.4 is. > Thanks in advance. Thanks for having on eye on this! > > Cheers > Steffen > > > References: > > [1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/ > [2] > http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes > [3] > http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz > [4] http://secunia.com/advisories/38459/ -- Regards, Mirco 'meebey' Bauer PGP-Key ID: 0xEEF946C8 FOSS Developer mee...@meebey.net http://www.meebey.net/ PEAR Developer mee...@php.net http://pear.php.net/ Debian Developer mee...@debian.org http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
