Sylpheed 2.4.5-1 already contains the fix.
Sylpheed-claws will be removed from the gutsy archive (obsolete)
** Changed in: sylpheed (Ubuntu Gutsy)
Assignee: Cesare Tirabassi => (unassigned)
Status: In Progress => Invalid
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launc
** Changed in: sylpheed-claws (Ubuntu Gutsy)
Status: Triaged => Invalid
** Changed in: sylpheed (Ubuntu Gutsy)
Assignee: (unassigned) => Cesare Tirabassi
Status: Invalid => In Progress
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You rece
** Changed in: sylpheed-claws-gtk2 (Ubuntu Edgy)
Status: Confirmed => Fix Released
** Changed in: sylpheed-claws-gtk2 (Ubuntu Dapper)
Status: Confirmed => Fix Released
** Changed in: sylpheed (Ubuntu Edgy)
Status: Confirmed => Fix Released
** Changed in: sylpheed (Ubuntu Dap
sylpheed (2.3.1-1~ubuntu1.1) feisty-security; urgency=low
* SECURITY UPDATE: a format string error could lead to arbitrary
code execution.
* Add 'debian/patches/06SecurityFixSA26550.diff': add format string to
alertpanel_error() call. Patch from upstream CVS. (Fixes LP: #136302)
* Re
sylpheed-claws (1.0.5-5.1ubuntu0.1) feisty-security; urgency=low
* SECURITY UPDATE: a format string error could lead to arbitrary
code execution.
* Add 'debian/patches/14security_2.10.0cvs153.patch': add format string to
alertpanel_error_log() call. Patch from upstream CVS. (Fixes LP:
sylpheed-claws-gtk2 (2.6.0-1.1ubuntu1.1) feisty-security; urgency=low
* SECURITY UPDATE: a format string error could lead to arbitrary
code execution.
* Add 'debian/patches/13security_2.10.0cvs153.dpatch': add format string to
alertpanel_error_log() call. Patch from upstream CVS. (Fixe
claws-mail (2.10.0-3ubuntu3) gutsy; urgency=low
* Fix format string error that could lead to arbitrary
code execution (CVE-2007-2958):
- add debian/patches/12SecurityFixSA26550.patch (LP: #136302)
-- Cesare Tirabassi <[EMAIL PROTECTED]> Fri, 07 Sep 2007
00:20:47 +0200
** Changed in:
And finally the patch for Gutsy (not a security patch).
** Attachment added: "claws-mail_2.10.0-3ubuntu3 patch (GUTSY)"
http://launchpadlibrarian.net/9157197/claws-mail_2.10.0-3ubuntu3.patch
** Changed in: sylpheed (Ubuntu Gutsy)
Status: Confirmed => Invalid
** Changed in: sylpheed-cla
** Attachment added: "sylpheed_2.2.7-1ubuntu0.1 patch (EDGY)"
http://launchpadlibrarian.net/9156552/sylpheed_2.2.7-1ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, w
** Attachment added: "sylpheed-claws-gtk2_2.6.0-1.1ubuntu1.1 patch (FEISTY)"
http://launchpadlibrarian.net/9156603/sylpheed-claws-gtk2_2.6.0-1.1ubuntu1.1.patch
** Changed in: sylpheed (Ubuntu)
Status: Triaged => Confirmed
** Changed in: sylpheed (Ubuntu Dapper)
Status: Triaged
** Attachment added: "sylpheed-claws-gtk2_2.5.0~rc3-1ubuntu0.1 patch (EDGY)"
http://launchpadlibrarian.net/9156602/sylpheed-claws-gtk2_2.5.0%7Erc3-1ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because y
** Attachment added: "sylpheed-claws-gtk2_2.1.1-1ubuntu1.1 patch (DAPPER)"
http://launchpadlibrarian.net/9156591/sylpheed-claws-gtk2_2.1.1-1ubuntu1.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a
** Attachment added: "sylpheed-claws_1.0.5-5.1ubuntu0.1 patch (FEISTY)"
http://launchpadlibrarian.net/9156586/sylpheed-claws_1.0.5-5.1ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member
** Changed in: claws-mail (Ubuntu)
Status: Invalid => Confirmed
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
** Attachment added: "sylpheed_2.2.4-1ubuntu1.1 patch (DAPPER)"
http://launchpadlibrarian.net/9156549/sylpheed_2.2.4-1ubuntu1.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs,
** Attachment added: "sylpheed-claws_1.0.5-2ubuntu0.1 patch (DAPPER)"
http://launchpadlibrarian.net/9156566/sylpheed-claws_1.0.5-2ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of
** Attachment added: "sylpheed_2.3.1-1ubuntu0.1 patch (FEISTY)"
http://launchpadlibrarian.net/9156557/sylpheed_2.3.1-1ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs,
** Attachment added: "sylpheed-claws_1.0.5-4ubuntu0.1 patch (EDGY)"
http://launchpadlibrarian.net/9156568/sylpheed-claws_1.0.5-4ubuntu0.1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ub
Attached here below are the 9 patches; they includes the CVE reference
and a version number in conformity to the SUP.
Patches for sylpheed-claws and sylpheed-claws-gtk2 change:
alertpanel_error_log(err_msg);
to
alertpanel_error_log("%s", err_msg);
Patches for sylpheed change:
alertpanel_error
Regarding claws-mail: it is affected but exists only in gutsy. Debian
already has 3.0.0-1 packaged which includes the fix for this bug.
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, w
thank you I'll work through them tomorrow it's pretty late now... just
one last question I gave [1] a short look now and there are many
different patching terms introduced. Which one you want?
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bu
Sure, though it requires a good bit of study, especially managing the
in-package patching system. (See "Patching Ubuntu packages"[1] as well
as all of "Packaging"[2] in https://wiki.ubuntu.com/UbuntuDevelopment )
I will add links from the SUP page -- good idea!
[1] https://wiki.ubuntu.com/MOTU/Sc
could you please point me to any tutorial,paper or somthing like that
how I can make a patch which will be taken by you?
https://wiki.ubuntu.com/SecurityUpdateProcedures gives no information
about that... It says what information needs to be contained but not any
word in which way they should be ga
After discussing on IRC, Cesare is going to respin the patches to
include the CVE reference, and to adjust the version numbers to follow
the SUP (step 4 of https://wiki.ubuntu.com/SecurityUpdateProcedures).
Once those are ready, I'll get them all published.
** Changed in: claws-mail (Ubuntu Dapper
Confirmed, sylpheed has this code too.
** Changed in: sylpheed (Ubuntu)
Status: Incomplete => Triaged
** Changed in: sylpheed-claws (Ubuntu)
Status: Confirmed => In Progress
** Changed in: sylpheed-claws-gtk2 (Ubuntu)
Status: Confirmed => In Progress
--
Sylpheed POP3 Forma
Again take a look at the differnce between 2.4.4 and 2.4.5 which was
just a security fix. The secunia advisorie tells the bug is in inc.c and
if you compare the versions 2.4.4 and 2.4.5 you see:
$diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c
1367c1367
< alertpanel_error(err_msg);
---
> al
There is no mention in your references about the code change. The only
valid reference is the one given in comment #10 above, which concerns
the function:
alertpanel_error_log
which is used in sylpheed-claws and sylpheed-claws-gtk2
not the function:
alertpanel_error
which is used in sylpheed.
Sorry, the above sentence should read: "I cannot proceed".
Of course you or somebody else can still propose the change.
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug
NOTE:
The above patches:
sylpheed-claws 1.0.5-2ubuntu1 patch (DAPPER)
sylpheed-claws_1.0.5-4build2 patch (EDGY)
sylpheed-claws_1.0.5-5.1ubuntu1 patch (FEISTY)
sylpheed-claws-gtk2_2.1.1-1ubuntu2 patch (DAPPER)
sylpheed-claws-gtk2_2.5.0~rc3-1ubuntu1 patch (EDGY)
sylpheed-claws-gtk2_2.6.0-1.1ubuntu2
Patch to fix sylpheed-claws-gtk2 for FEISTY
** Attachment added: "sylpheed-claws-gtk2_2.6.0-1.1ubuntu2 patch (FEISTY)"
http://launchpadlibrarian.net/9152446/sylpheed-claws-gtk2_2.6.0-1.1ubuntu2.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You rece
Patch to fix sylpheed-claws-gtk2 for EDGY
** Attachment added: "sylpheed-claws-gtk2_2.5.0~rc3-1ubuntu1 patch (EDGY)"
http://launchpadlibrarian.net/9152408/sylpheed-claws-gtk2_2.5.0%7Erc3-1ubuntu1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You re
(updated, please disregard previous))
Patch to fix sylpheed-claws-gtk2 for DAPPER
** Attachment added: "sylpheed-claws-gtk2_2.1.1-1ubuntu2 patch (DAPPER)"
http://launchpadlibrarian.net/9152388/sylpheed-claws-gtk2_2.1.1-1ubuntu2.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.
Yes I have many references :D
first reference: my knowledge about formatstring vulns in general. Putting an
unsanitized string into a formatting function can be triggerd to execute
arbitrary code or reveal memory information which subverts Ubuntus VA. Here you
can read a good tutorial about it:
Patch to fix sylpheed-claws-gtk2 for DAPPER
** Attachment added: "sylpheed-claws-gtk2_2.1.1-1ubuntu2 patch (DAPPER)"
http://launchpadlibrarian.net/9152317/sylpheed-claws-gtk2_2.1.1-1ubuntu2.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received
In sylpheed the function is: alertpanel_error(err_msg);
Do you have a reference that this constitute a security vulnerability too?
Without reference this cannot be fixed.
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification becaus
** Changed in: sylpheed-claws-gtk2 (Ubuntu)
Assignee: (unassigned) => Cesare Tirabassi
Status: Triaged => In Progress
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which i
Sylpheed is affected by this vulnerability!! To 100%!! The error is in
inc.c line 1252, just take a look at it.
** Changed in: sylpheed (Ubuntu)
Status: Invalid => Confirmed
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notificat
Sylpheed is not affected by this vulnerability
** Changed in: sylpheed (Ubuntu)
Status: Triaged => Invalid
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug conta
There is no claws-mail for dapper/edgy/feisty
** Changed in: claws-mail (Ubuntu)
Status: Triaged => Invalid
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug cont
Hi Cesare Tirabassi,
could you tell me how you did these *.patch files for claws-mail than I will do
the patch for sylpheed?
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is th
Patch to fix sylpheed-claws for FEISTY
** Attachment added: "sylpheed-claws_1.0.5-5.1ubuntu1 patch (FEISTY)"
http://launchpadlibrarian.net/9149175/sylpheed-claws_1.0.5-5.1ubuntu1.patch
** Changed in: sylpheed-claws (Ubuntu)
Assignee: Cesare Tirabassi => (unassigned)
Status: In Prog
Patch to fix sylpheed-claws for EDGY
** Attachment added: "sylpheed-claws_1.0.5-4build2 patch (EDGY)"
http://launchpadlibrarian.net/9148652/sylpheed-claws_1.0.5-4build2.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification
Patch to fix sylpheed-claws for DAPPER
** Attachment added: "sylpheed-claws 1.0.5-2ubuntu1 patch (DAPPER)"
http://launchpadlibrarian.net/9148621/sylpheed-claws_1.0.5-2ubuntu1.patch
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notifi
** Changed in: sylpheed-claws (Ubuntu)
Assignee: (unassigned) => Cesare Tirabassi
Status: Triaged => In Progress
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the
yamal was right the bugfix is really simple just this patch file is such
big^^ sorry for that but I never had to do with these patch files..
I could track it down in a few minutes. I downloaded the sources of
2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is
burried:
$diff sylphee
Looking at claws-mail cvs, the actual fix for just the vulnerability
appears very small (1 line only); see http://www.claws-mail.org/cvstrak-
gtk2.php?section=projects and more specifically http://www.colino.net
/claws-mail/getpatchset.php3?ver=2.10.0cvs153
Unfortunately, I myself really don't hav
If other distros have patched it, they they likely have found a minimal
patch to do it. If someone is willing to extract that patch, and
prepare the debdiffs, I'll be happy to sponsor the uploads. I don't
currently have the time to track them down and test them myself,
unfortunately.
--
Sylphee
So what to do now? Who will patch this version for Ubuntu? Other distris
have already patched this vuln days ago:
http://www.linuxsecurity.com/content/view/129095/102/
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because yo
On Wed, Sep 05, 2007 at 06:16:09PM -, Adna rim wrote:
> I don't understand why you make it that complicated and hard to fix a
> security vuln?
The goal is to make sure we don't have any regressions. A stable
release is just that -- a stable release. The people to really look to
are the upstr
I don't understand why you make it that complicated and hard to fix a
security vuln?
I installed the updated-version now from the sources and it worked
without any problems..
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification be
On Wed, Sep 05, 2007 at 05:03:25PM -, Adna rim wrote:
> So what alternative we have here? Letting a version in the repos which
> you are totally aware that it is vulnerable and my lead to arbitrary
> code execution or spending 5min just to take the updated version of
> 2.4.5.
Agreed; it is a l
Sounds pretty laborious if you are aware that the patch file for this
bug (from 2.4.4 to 2.4.5) has around 13000 lines of code that you're
having to look through to make this bugfix. Of course just if there was
no other change within 2.3.1 in the repos to 2.4.* what makes applying
this patch totall
Since we only do minimal changes for stable releases, one would have to
find and extract only the changes needed to fix the problem, and then
build patched versions of the sylpheed packages, with only those
minimal changes.
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/b
Hi,
I could help you with this but dunno exactly what you want? Should I download
the latest stable of sylpheed and make a Feisty deb-packet for it? As said
there's no patch for this vuln but just an updated version of it.
greets
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launch
Thanks for taking the time to report this bug and helping to make Ubuntu
better. If someone can prepare (and test) the fixes and attach debdiffs
that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd
be more than happy to get them uploaded.
** Changed in: claws-mail (Ubuntu)
I
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-2958
--
Sylpheed POP3 Format String Vulnerability
https://bugs.launchpad.net/bugs/136302
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing
** Also affects: claws-mail (Ubuntu)
Importance: Undecided
Status: New
** Also affects: sylpheed-claws-gtk2 (Ubuntu)
Importance: Undecided
Status: New
** Also affects: sylpheed-claws (Ubuntu)
Importance: Undecided
Status: New
--
Sylpheed POP3 Format String Vulnerab
57 matches
Mail list logo
