[Users] [Bug 3557] Remotely exploitable bug.
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Thu Dec 31 12:03:40 CET 2015
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
--- Comment #8 from Ricardo Mones <mones at users.sourceforge.net> ---
(In reply to comment #7)
> (In reply to comment #6)
> > After being notified of this:
> >
> > https://security-tracker.debian.org/tracker/CVE-2015-8614
> >
> > Seems this is only partially fixed (wrong operator was fixed in #3584), and
> > there's code paths which exceed the number of reserved chars for output.
>
> Right. In conv_euctojis() the comparison is with outlen - 3, but each pass
> through the loop uses up to 5 bytes and the rest of the function may add
> another 4 bytes. The comparison should presumably be '<= outlen - 9' or
> equivalently '< outlen - 8'.
Thanks for confirming Ben.
> > Similar functions in libsylph¹ are unaffected², so those could be used
> > instead.
>
> The corresponding functions in libsylph do their own allocations on the
> heap, returning a pointer to the caller. So it's not quite as simple as
> copying the code across.
Indeed. I was thinking about a more radical approach like removing
codeconv.[ch] and use sylph/codeconv.h, linking to libsyph. But I had a look
today and this is also a huge task:
• the API calls interface changes (obviously)
• different supported codesets on both sides (libsylph should add some so CM
doesn't lose features)
• missing calls
Maybe could be a good idea for long term, but not for tonight ;-)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list