[Users] [Bug 3557] Remotely exploitable bug.

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Thu Dec 31 04:22:35 CET 2015


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557

--- Comment #7 from Ben Hutchings <ben at decadent.org.uk> ---
(In reply to comment #6)
> After being notified of this:
> 
> https://security-tracker.debian.org/tracker/CVE-2015-8614
> 
> Seems this is only partially fixed (wrong operator was fixed in #3584), and
> there's code paths which exceed the number of reserved chars for output.

Right.  In conv_euctojis() the comparison is with outlen - 3, but each pass
through the loop uses up to 5 bytes and the rest of the function may add
another 4 bytes.  The comparison should presumably be '<= outlen - 9' or
equivalently '< outlen - 8'.

> Similar functions in libsylph¹ are unaffected², so those could be used
> instead.

The corresponding functions in libsylph do their own allocations on the heap,
returning a pointer to the caller.  So it's not quite as simple as copying the
code across.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Users mailing list