Debian Bug report logs -
#862151
libetpan: CVE-2017-8825
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ricardo Mones <mones@debian.org>:
Bug#862151; Package src:libetpan.
(Tue, 09 May 2017 06:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ricardo Mones <mones@debian.org>.
(Tue, 09 May 2017 06:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libetpan
Version: 1.6-2
Severity: important
Tags: upstream patch security
Forwarded: https://github.com/dinhviethoa/libetpan/issues/274
Hi,
the following vulnerability was published for libetpan.
CVE-2017-8825[0]:
| A null dereference vulnerability has been found in the MIME handling
| component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A
| crash can occur in low-level/imf/mailimf.c during a failed parse of a
| Cc header containing multiple e-mail addresses.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8825
[1] https://github.com/dinhviethoa/libetpan/issues/274
[2] https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#862151; Package src:libetpan.
(Mon, 29 May 2017 21:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>.
(Mon, 29 May 2017 21:27:03 GMT) (full text, mbox, link).
Message #10 received at 862151@bugs.debian.org (full text, mbox, reply):
On Tue, May 09, 2017 at 08:04:58AM +0200, Salvatore Bonaccorso wrote:
> Source: libetpan
> Version: 1.6-2
> Severity: important
> Tags: upstream patch security
> Forwarded: https://github.com/dinhviethoa/libetpan/issues/274
>
> Hi,
>
> the following vulnerability was published for libetpan.
>
> CVE-2017-8825[0]:
> | A null dereference vulnerability has been found in the MIME handling
> | component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A
> | crash can occur in low-level/imf/mailimf.c during a failed parse of a
> | Cc header containing multiple e-mail addresses.
What's the status, can you please upload a fix prior to the stretch
release?
Cheers,
Moritz
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-8825
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8825
> [1] https://github.com/dinhviethoa/libetpan/issues/274
> [2] https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#862151; Package src:libetpan.
(Tue, 30 May 2017 08:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Ricardo Mones <mones@debian.org>:
Extra info received and forwarded to list.
(Tue, 30 May 2017 08:45:07 GMT) (full text, mbox, link).
Message #15 received at 862151@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
On Mon, May 29, 2017 at 11:22:25PM +0200, Moritz Muehlenhoff wrote:
> On Tue, May 09, 2017 at 08:04:58AM +0200, Salvatore Bonaccorso wrote:
> > Source: libetpan
> > Version: 1.6-2
> > Severity: important
> > Tags: upstream patch security
> > Forwarded: https://github.com/dinhviethoa/libetpan/issues/274
> >
> > Hi,
> >
> > the following vulnerability was published for libetpan.
> >
> > CVE-2017-8825[0]:
> > | A null dereference vulnerability has been found in the MIME handling
> > | component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A
> > | crash can occur in low-level/imf/mailimf.c during a failed parse of a
> > | Cc header containing multiple e-mail addresses.
>
> What's the status, can you please upload a fix prior to the stretch
> release?
Well, sure, I've prepared one, attached debdiff.
Should I ping the release team for this or is it good enough for upload?
regards,
--
Ricardo Mones
~
Never send a human to do a machine's job. Agent Smith
[debdiff-dsc-to-1.6-2.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added blocking bug(s) of 862151: 863714
Request was from Ricardo Mones <mones@debian.org>
to control@bugs.debian.org.
(Tue, 30 May 2017 10:15:03 GMT) (full text, mbox, link).
Reply sent
to Ricardo Mones <mones@debian.org>:
You have taken responsibility.
(Tue, 30 May 2017 23:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 30 May 2017 23:21:03 GMT) (full text, mbox, link).
Message #22 received at 862151-close@bugs.debian.org (full text, mbox, reply):
Source: libetpan
Source-Version: 1.6-3
We believe that the bug you reported is fixed in the latest version of
libetpan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated libetpan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 May 2017 10:16:19 +0200
Source: libetpan
Binary: libetpan17 libetpan-dev libetpan-doc libetpan-dbg
Architecture: source amd64 all
Version: 1.6-3
Distribution: unstable
Urgency: high
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Description:
libetpan-dbg - debugging symbols for libetpan
libetpan-dev - mail handling library - development files
libetpan-doc - mail handling library - API documentation
libetpan17 - mail handling library
Closes: 862151
Changes:
libetpan (1.6-3) unstable; urgency=high
.
* patches/fix-CVE-2017-8825.diff, patches/series
- Add upstream patch to fix CVE-2017-8825 (Closes: #862151)
* control
- Homepage: point to library's own page
Checksums-Sha1:
7e517da63e015ac986978fdce04dfa46158ac3e7 2230 libetpan_1.6-3.dsc
ed7dd13873f3dd827d4e3110d3d2b36362414d34 21916 libetpan_1.6-3.debian.tar.xz
0c4ce0a1fbe6e7d6de0bed17de6b330487d0de47 1178536 libetpan-dbg_1.6-3_amd64.deb
e3825b560238aa375a3eed807fac7927feefcfb8 388402 libetpan-dev_1.6-3_amd64.deb
143d97768d67c465ad014f2f36abc949b03a7356 103996 libetpan-doc_1.6-3_all.deb
db61facb45affab0682e21e468b1a6b2479cdbdf 305474 libetpan17_1.6-3_amd64.deb
184606e8d0bc6062b7f3bd2becb2d1af440f244a 7670 libetpan_1.6-3_amd64.buildinfo
Checksums-Sha256:
c6e05a58f890235d691db36adf1d7bc805ab34a452ef56d55aa9bab131524f72 2230 libetpan_1.6-3.dsc
6c3d0b28f0c314201562522fba62e287c11b61b0a49e242d3b91c53e19cc894f 21916 libetpan_1.6-3.debian.tar.xz
3e87ceff542d3b45cfd463799900ca00bd717a291db83a68ecbed85feb41b163 1178536 libetpan-dbg_1.6-3_amd64.deb
8a0e54709a74f4b92cd7932d48beb9426cd73e66fd25f82615c8dca02c76f257 388402 libetpan-dev_1.6-3_amd64.deb
b362f5ed0edb6c9cb11b88d46c09971a2fd227afba3ad47ee14d4f48bd06b4e1 103996 libetpan-doc_1.6-3_all.deb
436201d08cbc46f2519b3cc0368370071c83bcf9814b0321cef9c69fd622d966 305474 libetpan17_1.6-3_amd64.deb
7010a0a1b58d594e28868b99a364ee61a035b16ec4c5ade6955a7cd3817517b3 7670 libetpan_1.6-3_amd64.buildinfo
Files:
5780f097980f1a05b016ffcfa3ed0ed4 2230 mail optional libetpan_1.6-3.dsc
5d1c416e70f0215e51ae83998d8d084e 21916 mail optional libetpan_1.6-3.debian.tar.xz
43ed794676e08769cbfdf3d8bf9b601e 1178536 debug extra libetpan-dbg_1.6-3_amd64.deb
ee7e9583deacdc528970f8429b546213 388402 libdevel extra libetpan-dev_1.6-3_amd64.deb
52ca503fd88d51d640574833195893d9 103996 doc optional libetpan-doc_1.6-3_all.deb
518b07c76e823cd4fa75c405843d5d4a 305474 libs optional libetpan17_1.6-3_amd64.deb
32aa7fd44e8234c8de6efcfee33f0eff 7670 mail optional libetpan_1.6-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEQ7w2SxbfDCBevXWSHw8KiN5bzKYFAlktQuEACgkQHw8KiN5b
zKZisQ/9GrYO8MLAV53m+vlENU3hhFI2Kd1V7r5UvyKI5Cl8J9NpnVqkFJ84VUXo
ffEMFC61E/W1l5kQ20KCkdw+PG6rLFtsrtPnIuB+GLxRm1w/xDeT5gn400RNptpU
I6e2FP+y/rW5prvmqDyx4sGuFcnL+N/A4vxLZdmfPF5wrgWp0POyuN3tSeIgEiPY
6KwQN/0dL38ZS4otB8maOHlKPwYgsoEu5ND9XH/aaDcj/ps8YuTFdLKEjKzRl5oM
MRMCgIAcfZM6UkRJps/JSGSE3tnUdRPegnK/7LzfRjy8iNPPIxaI/kBCrzv3Exyc
jBXEVd//MKtZEiIexZHMEJ1JMKAejZiKOqhoFJePrqvImNKzTBb3JZHDvT+c+Ooy
393VXpCZMy77rZEpFM0K/QcqYTFc3338JgCsOBxg+mtyiM400RkUvPvPnCriej2v
ekByeXYTHDP6f7zgIJRq8DVdXAESYIcgWs16FQsRvs9+YAPOlRN9iJdR3SvIj+CO
nrvZ6barP43KTIBC74Nfs9GtFyZZk2eBYjMm8Qjq3ICF2eGTLRmH7AsCqhct/gDn
VmC/GkWBjiQUp/RN1Gk+p8TBpfM1FOrwvl7sHBge44PMsqXfGHiUSmri6aHlLVZ/
3sYgh7qXpOnYcBM/r8EHBdIh4GP5iXFebrARORNxJuagyO5aZ64=
=LvPy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 30 Jun 2017 07:26:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:52:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon