claws-mail: CVE-2015-8708: Incomplete fix for CVE-2015-8614

Debian Bug report logs - #811048
claws-mail: CVE-2015-8708: Incomplete fix for CVE-2015-8614

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: claws-mail: CVE-2015-8708: Incomplete fix for CVE-2015-8614

Date: Fri, 15 Jan 2016 08:29:05 +0100

[Message part 1 (text/plain, inline)]

Source: claws-mail
Version: 3.13.1-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for claws-mail.

CVE-2015-8708[0]:
for incomplete fix for CVE-2015-8614

I'm attaching the patch made by Ben Hutchings for his upload to
squeeze-lts.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8708

Regards,
Salvatore

[CVE-2015-8708.patch (text/x-diff, attachment)]

Message #10 received at 811048@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 811046@bugs.debian.org, 811048@bugs.debian.org

Subject: claws-mail: Proposed (not yet uploaded) diff for NMU version 3.13.1-1.1

Date: Fri, 15 Jan 2016 09:07:04 +0100

[Message part 1 (text/plain, inline)]

Control: tags 811046 + patch

Hi

Find attached a proposed debdiff for the two issues #811046 and
#811048 in claws-mail.

I have not done any upload (to a delayed queue) yet.

Regards,
Salvatore

[claws-mail-3.13.1-1.1-nmu.diff (text/x-diff, attachment)]

Message #15 received at 811048-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 811048-close@bugs.debian.org

Subject: Bug#811048: fixed in claws-mail 3.13.1-1.1

Date: Fri, 15 Jan 2016 12:04:45 +0000

Source: claws-mail
Source-Version: 3.13.1-1.1

We believe that the bug you reported is fixed in the latest version of
claws-mail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 811048@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated claws-mail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Jan 2016 08:46:03 +0100
Source: claws-mail
Binary: claws-mail claws-mail-dbg libclaws-mail-dev claws-mail-plugins claws-mail-spamassassin claws-mail-pgpmime claws-mail-pgpinline claws-mail-smime-plugin claws-mail-bogofilter claws-mail-i18n claws-mail-doc claws-mail-tools claws-mail-extra-plugins claws-mail-acpi-notifier claws-mail-address-keeper claws-mail-archiver-plugin claws-mail-attach-remover claws-mail-attach-warner claws-mail-bsfilter-plugin claws-mail-clamd-plugin claws-mail-fancy-plugin claws-mail-feeds-reader claws-mail-fetchinfo-plugin claws-mail-gdata-plugin claws-mail-libravatar claws-mail-newmail-plugin claws-mail-mailmbox-plugin claws-mail-managesieve claws-mail-multi-notifier claws-mail-tnef-parser claws-mail-perl-filter claws-mail-pdf-viewer claws-mail-python-plugin claws-mail-spam-report claws-mail-vcalendar-plugin
Architecture: source
Version: 3.13.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 811046 811048
Description: 
 claws-mail - Fast, lightweight and user-friendly GTK+2 based email client
 claws-mail-acpi-notifier - Laptop's Mail LED control for Claws Mail
 claws-mail-address-keeper - Address keeper plugin for Claws Mail
 claws-mail-archiver-plugin - Archiver plugin for Claws Mail
 claws-mail-attach-remover - Mail attachment remover for Claws Mail
 claws-mail-attach-warner - Missing attachment warnings for Claws Mail
 claws-mail-bogofilter - Bogofilter plugin for Claws Mail
 claws-mail-bsfilter-plugin - Spam filtering using bsfilter for Claws Mail
 claws-mail-clamd-plugin - ClamAV socket-based plugin for Claws Mail
 claws-mail-dbg - Debug symbols for Claws Mail mailer
 claws-mail-doc - User documentation for Claws Mail mailer
 claws-mail-extra-plugins - Extra plugins collection for Claws Mail
 claws-mail-fancy-plugin - HTML mail viewer using GTK+2 WebKit
 claws-mail-feeds-reader - Feeds (RSS/Atom) reader plugin for Claws Mail
 claws-mail-fetchinfo-plugin - Add X-FETCH headers plugin for Claws Mail
 claws-mail-gdata-plugin - Access to GData (Google services) for Claws Mail
 claws-mail-i18n - Locale data for Claws Mail (i18n support)
 claws-mail-libravatar - Display sender avatar from a libravatar server
 claws-mail-mailmbox-plugin - mbox format mailboxes handler for Claws Mail
 claws-mail-managesieve - manage Sieve filters with Claws Mail
 claws-mail-multi-notifier - Various new mail notifiers for Claws Mail
 claws-mail-newmail-plugin - New mail logger plugin for Claws Mail
 claws-mail-pdf-viewer - PDF and PostScript attachment viewer for Claws Mail
 claws-mail-perl-filter - Message filtering plugin using perl for Claws Mail
 claws-mail-pgpinline - PGP/inline plugin for Claws Mail
 claws-mail-pgpmime - PGP/MIME plugin for Claws Mail
 claws-mail-plugins - Installs plugins for the Claws Mail mailer
 claws-mail-python-plugin - Python plugin and console for Claws Mail
 claws-mail-smime-plugin - S/MIME signature/encryption handling for Claws Mail
 claws-mail-spam-report - Spam reporting plugin for Claws Mail
 claws-mail-spamassassin - SpamAssassin plugin for Claws Mail
 claws-mail-tnef-parser - TNEF attachment handler for Claws Mail
 claws-mail-tools - Helper and utility scripts for Claws Mail mailer
 claws-mail-vcalendar-plugin - vCalendar message handling plugin for Claws Mail
 libclaws-mail-dev - Development files for Claws Mail plugins
Changes:
 claws-mail (3.13.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload (with maintainer approval).
   * Add fix-bug-3584-After-3.13.1-characters-in-some-Japanes.patch.
     Fixes "Characters in some Japanese codec are never correctly converted
     to internal ones". (Closes: #811046)
   * Add CVE-2015-8708.patch.
     CVE-2015-8708: Incomplete fix for CVE-2015-8614. Adjusts and comments
     range checks in JP text conversions.
     Thanks to Ben Hutchings <ben@decadent.org.uk> (Closes: #811048)
Checksums-Sha1: 
 aee63cc874aa6e5b89f7d6a6cba91d1d89392e87 5091 claws-mail_3.13.1-1.1.dsc
 cace0336cbd978fee65dbd66fd1eebd2f9cef14d 45088 claws-mail_3.13.1-1.1.debian.tar.xz
Checksums-Sha256: 
 6198aeade3adc3af435bb6dcb3cb90d784cf51849ca27cdcbb47acadc1ffcb17 5091 claws-mail_3.13.1-1.1.dsc
 a28fbe8e6cf131fe5cb2dab2ce3f98d402929427704f1f7dd491f69e83c67427 45088 claws-mail_3.13.1-1.1.debian.tar.xz
Files: 
 99e8594ec61666a08271097adc4e5ee0 5091 mail optional claws-mail_3.13.1-1.1.dsc
 c7d49711e3b5a99c13c23bca80e19e3a 45088 mail optional claws-mail_3.13.1-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWmNlUAAoJEAVMuPMTQ89EB1EP/AqjYhCCL2WBDrnqVObmkfEs
RgXCNLxu3P3UQtur0kRKPxpfDIp7nuScQ5AVBGQuUVZtTrgnyODb7L74zbCJXmiG
xg0UfSsNQDkRKS/hk3ev5WA8OEA6tYurBS/rL2ZIXIbReBNildEjh754+Q3V+fQ7
OGI/o1DCFSRIGZWIxbz28QqiBqGp4kTOf0GrCoY4sGi4NW/GnCfsLpc55tQ0bGvH
R4UKox6xFkxwwa3OCTtwWSaB+M8uL70sBOR2WZP8FDxBRmtJvrc6MIkkjcidTDfK
Coe4qg/dDKKNqz7sba+u79mVVPt0cgz5R4LCWNyWrff7KScoiYu49RvKY9a1zHOg
y0J+GBXn9uFdmGhuercJIuIiRZvJyTl4HzaOqX7t9xDiDu4mnU4K58gAwHm5uoom
57dccEqMbZY3k7MvU4CZLmIujuFyMkKgoKjd93CrMaVlCxZHrUyo+RdiK96TpYWY
MZNEmzF61nqVzl8o/32D7BEMcl1TO6dFGbyPyPLzPPtaU0Gyrk5x/Jt9trvtGMjM
ehijqItfDNst3eyq/6QmF54u6Ja1BqK5p2bKuf+HJOJjfmQ60hOBGgQKNEHNKO+H
0nj73yulOfemP0LfF++RJLNtt1OKw8WNCxhAEl/eU0ZTCK1NjbScVshqv3p6tLqs
yOl8txjlUQ1bLj/X/wXO
=QNQQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.