sylpheed-claws-gtk2: CVE-2006-2920: URI bypass

Debian Bug report logs - #372889
sylpheed-claws-gtk2: CVE-2006-2920: URI bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sylpheed-claws-gtk2: CVE-2006-2920: URI bypass

Date: Mon, 12 Jun 2006 06:58:15 -0500

Package: sylpheed-claws-gtk2
Severity: important
Tags: patch security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-2920: "Sylpheed-Claws before 2.2.2 allows remote attackers to
bypass the URI check functionality and makes it easier to conduct
phishing attacks via a URI that begins with a space character."

The FrSIRT notice incorrectly lists fixed files; you'll need at least
1.36.2.64 of src/common/utils.c [1] and 1.96.2.115 of src/textview.c
[2].  Those revisions are part of release 2.2.2.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://cvs.sunsite.dk/viewcvs.cgi/sylpheedclaws/sylpheed-claws/src/common/utils.c.diff?r1=1.36.2.63&r2=1.36.2.64&only_with_tag=gtk2
[2] http://cvs.sunsite.dk/viewcvs.cgi/sylpheedclaws/sylpheed-claws/src/textview.c.diff?r1=1.96.2.114&r2=1.96.2.115&only_with_tag=gtk2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEjVbXAud/2YgchcQRAqjZAKDYvIAAJeWjSPWD1y8D2oCdzj/bEwCZAU++
Sncjxl+ov1nrkwCFSWea974=
=QD3x
-----END PGP SIGNATURE-----

Message #10 received at 372889@bugs.debian.org (full text, mbox, reply):

From: Ricardo Mones <mones@aic.uniovi.es>

To: Alec Berryman <alec@thened.net>, 372889@bugs.debian.org

Subject: Re: Bug#372889: sylpheed-claws-gtk2: CVE-2006-2920: URI bypass

Date: Tue, 13 Jun 2006 01:27:57 +0200

tags 372889 confirmed fixed-upstream pending
thanks

On Mon, 12 Jun 2006 06:58:15 -0500
Alec Berryman <alec@thened.net> wrote:

> Package: sylpheed-claws-gtk2
> Severity: important
> Tags: patch security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> CVE-2006-2920: "Sylpheed-Claws before 2.2.2 allows remote attackers to
> bypass the URI check functionality and makes it easier to conduct
> phishing attacks via a URI that begins with a space character."
> 
> The FrSIRT notice incorrectly lists fixed files; you'll need at least
> 1.36.2.64 of src/common/utils.c [1] and 1.96.2.115 of src/textview.c
> [2].  Those revisions are part of release 2.2.2.
> 
> Please mention the CVE in your changelog.

  Will be handled in the upload of the new 2.3.0 version, released today.

  regards,
-- 
  Ricardo Mones 
  ~
  Physics is like sex: sure, it may give some practical results, but 
  that's not why we do it.                            Richard Feynman

Message #17 received at 372889@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Ricardo Mones <mones@aic.uniovi.es>

Cc: 372889@bugs.debian.org

Subject: Re: Bug#372889: sylpheed-claws-gtk2: CVE-2006-2920: URI bypass

Date: Tue, 13 Jun 2006 01:45:51 +0100

[Message part 1 (text/plain, inline)]

Ricardo Mones on 2006-06-13 01:27:57 +0200:

> Will be handled in the upload of the new 2.3.0 version, released
> today.

Thanks for your prompt response!

[Message part 2 (application/pgp-signature, inline)]

Message #22 received at 372889-close@bugs.debian.org (full text, mbox, reply):

From: Ricardo Mones <mones@debian.org>

To: 372889-close@bugs.debian.org

Subject: Bug#372889: fixed in sylpheed-claws-gtk2 2.3.0-1

Date: Tue, 13 Jun 2006 16:17:08 -0700

Source: sylpheed-claws-gtk2
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
sylpheed-claws-gtk2, which is due to be installed in the Debian FTP archive:

libsylpheed-claws-gtk2-dev_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/libsylpheed-claws-gtk2-dev_2.3.0-1_i386.deb
sylpheed-claws-gtk2-clamav_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-clamav_2.3.0-1_i386.deb
sylpheed-claws-gtk2-dillo-viewer_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-dillo-viewer_2.3.0-1_i386.deb
sylpheed-claws-gtk2-doc_2.3.0-1_all.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-doc_2.3.0-1_all.deb
sylpheed-claws-gtk2-i18n_2.3.0-1_all.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-i18n_2.3.0-1_all.deb
sylpheed-claws-gtk2-pgpinline_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-pgpinline_2.3.0-1_i386.deb
sylpheed-claws-gtk2-pgpmime_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-pgpmime_2.3.0-1_i386.deb
sylpheed-claws-gtk2-plugins_2.3.0-1_all.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-plugins_2.3.0-1_all.deb
sylpheed-claws-gtk2-spamassassin_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-spamassassin_2.3.0-1_i386.deb
sylpheed-claws-gtk2-trayicon_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2-trayicon_2.3.0-1_i386.deb
sylpheed-claws-gtk2_2.3.0-1.diff.gz
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2_2.3.0-1.diff.gz
sylpheed-claws-gtk2_2.3.0-1.dsc
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2_2.3.0-1.dsc
sylpheed-claws-gtk2_2.3.0-1_i386.deb
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2_2.3.0-1_i386.deb
sylpheed-claws-gtk2_2.3.0.orig.tar.gz
  to pool/main/s/sylpheed-claws-gtk2/sylpheed-claws-gtk2_2.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 372889@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated sylpheed-claws-gtk2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Jun 2006 00:08:18 +0200
Source: sylpheed-claws-gtk2
Binary: sylpheed-claws-gtk2-spamassassin sylpheed-claws-gtk2-plugins sylpheed-claws-gtk2 sylpheed-claws-gtk2-i18n sylpheed-claws-gtk2-pgpinline libsylpheed-claws-gtk2-dev sylpheed-claws-gtk2-pgpmime sylpheed-claws-gtk2-dillo-viewer sylpheed-claws-gtk2-clamav sylpheed-claws-gtk2-trayicon sylpheed-claws-gtk2-doc
Architecture: source i386 all
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Description: 
 libsylpheed-claws-gtk2-dev - Development files for Sylpheed-Claws GTK2 plugins
 sylpheed-claws-gtk2 - Fast, lightweight and user-friendly GTK2 based email client
 sylpheed-claws-gtk2-clamav - Clam AntiVirus plugin for the Sylpheed-Claws GTK2 mail client
 sylpheed-claws-gtk2-dillo-viewer - HTML viewer plugin for Sylpheed-Claws GTK2 using Dillo
 sylpheed-claws-gtk2-doc - User documentation for Sylpheed-Claws GTK2 mailer
 sylpheed-claws-gtk2-i18n - Locale data for Sylpheed-Claws GTK2 (i18n support)
 sylpheed-claws-gtk2-pgpinline - PGP/inline plugin for Sylpheed-Claws GTK2
 sylpheed-claws-gtk2-pgpmime - PGP/MIME plugin for Sylpheed-Claws GTK2
 sylpheed-claws-gtk2-plugins - Installs plugins for the Sylpheed-Claws GTK2 mail client
 sylpheed-claws-gtk2-spamassassin - SpamAssassin plugin for Sylpheed-Claws GTK2
 sylpheed-claws-gtk2-trayicon - Notification area plugin for Sylpheed-Claws GTK2
Closes: 370257 372889
Changes: 
 sylpheed-claws-gtk2 (2.3.0-1) unstable; urgency=high
 .
   * New upstream release (security upload).
   - Fixes CVE-2006-2920: URI bypass (Closes: #372889)
   - Fixes sylpheed-claws-gtk2 does not obey $HOME (Closes: #370257)
Files: 
 642ccba86aba5fc8e3317ce34ce92b05 1389 mail optional sylpheed-claws-gtk2_2.3.0-1.dsc
 2a97d6296a68331d17b049a96a6bc5fc 6246097 mail optional sylpheed-claws-gtk2_2.3.0.orig.tar.gz
 13e7956985e732dce857895d63670672 31929 mail optional sylpheed-claws-gtk2_2.3.0-1.diff.gz
 0fb4efd1c0e247c1d8b65a66c6fa642d 1210638 mail optional sylpheed-claws-gtk2_2.3.0-1_i386.deb
 94de8ab0a143b86cf05d76f57019e5de 189984 devel optional libsylpheed-claws-gtk2-dev_2.3.0-1_i386.deb
 a731dacab1faa12db34ba55d424ab1e0 91770 mail optional sylpheed-claws-gtk2-plugins_2.3.0-1_all.deb
 cb16a3f3bdd1a9acd69d58725856e75c 100422 mail optional sylpheed-claws-gtk2-clamav_2.3.0-1_i386.deb
 f8587b6010b937942d926215615f4464 97886 mail optional sylpheed-claws-gtk2-dillo-viewer_2.3.0-1_i386.deb
 d76eaa4c8e7c9b8099c1d7ee37d50f5d 111374 mail optional sylpheed-claws-gtk2-spamassassin_2.3.0-1_i386.deb
 77578594445dccb56707799c4927fd43 102506 mail optional sylpheed-claws-gtk2-trayicon_2.3.0-1_i386.deb
 b1b177bec57beb5d0ba9f5095be3383b 118110 mail optional sylpheed-claws-gtk2-pgpmime_2.3.0-1_i386.deb
 97670d7ab8ea2526e65a0badb74bd0e1 100252 mail optional sylpheed-claws-gtk2-pgpinline_2.3.0-1_i386.deb
 4a4fca6c67d5d4df8e175322e03c3f8e 1499156 mail optional sylpheed-claws-gtk2-i18n_2.3.0-1_all.deb
 7265ee6c25af201c997a9a6a2c3bcdf7 888756 doc optional sylpheed-claws-gtk2-doc_2.3.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEj0LzLARVQsm1XawRApUsAJwIk54c6Egcv+ACIG64e0e/qlSb2QCfRx1y
bvRi+MCJJ6o8cDS0NUhkViA=
=gATw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.