Arch Linux alert ASA-201512-13 (claws-mail)

From:
    	       Remi Gacogne <rgacogne@archlinux.org> 
To:
    	       Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> 
Subject:
    	       [arch-security] [ASA-201512-13] claws-mail: buffer overflow 
Date:
    	       Tue, 22 Dec 2015 22:10:28 +0100
Message-ID:
    	       <5679BC44.9020700@archlinux.org>
Arch Linux Security Advisory ASA-201512-13
==========================================

Severity: High
Date    : 2015-12-22
CVE-ID  : CVE-2015-8614
Package : claws-mail
Type    : buffer overflow
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package claws-mail before version 3.13.1-1 is vulnerable to a
remotely triggerable buffer overflow.

Resolution
==========

Upgrade to 3.13.1-1.

# pacman -Syu "claws-mail>=3.13.1-1"

The problem has been fixed upstream in version 3.13.1.

Workaround
==========

None.

Description
===========

A remotely triggerable buffer overflow has been found in the code of
claws-mail handling character conversion, in functions conv_jistoeuc(),
 conv_euctojis() and conv_sjistoeuc(), in codeconv.c.
There was no bounds checking on buffers passed to these functions, some
stack-based but other potentially heap-based.
This issue has been located in the wild and might currently be exploited.

Impact
======

A remote attacker might be able to execute arbitrary code on the
affected host by sending a crafted e-mail to a clasw-mail user.

References
==========

https://access.redhat.com/security/cve/CVE-2015-8614
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bu...
http://git.claws-mail.org/?p=claws.git;a=blobdiff;f=src/c...

From:		Remi Gacogne <rgacogne@archlinux.org>
To:		Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org>
Subject:		[arch-security] [ASA-201512-13] claws-mail: buffer overflow
Date:		Tue, 22 Dec 2015 22:10:28 +0100
Message-ID:		<5679BC44.9020700@archlinux.org>