Updated claws-mail packages fix CVE-2015-8708
Publication date: 17 Feb 2016Modification date: 17 Feb 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8708
Description
Updated claws-mail fix security vulnerabilities
A stack-based buffer overflow has been found in conv_euctojis() after applying
incomplete patch for CVE-2015-8614. In conv_euctojis() the comparison is with
outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of
the function may add another 4 bytes. The comparison should presumably be
'<= outlen - 9' or equivalently '< outlen - 8'. (CVE-2015-8708)
References
- https://bugs.mageia.org/show_bug.cgi?id=17722
- http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
- https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176949.html
- https://security-tracker.debian.org/tracker/CVE-2015-8708
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8708
SRPMS
5/core
- claws-mail-3.11.1-3.1.mga5