Your message dated Tue, 27 Jul 2010 22:47:09 +0000
with message-id <e1odsvv-0001xh...@franck.debian.org>
and subject line Bug#568291: fixed in gmime2.2 2.2.25-1.1
has caused the Debian Bug report #568291,
regarding possible buffer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
568291: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libgmime-2.0-2a
Severity: grave
Tags: security patch
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast <f...@novell.com>
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
possible buffer overflows.
The vulnerable code seems to be in gmime/gmime-utils.h, I've attached
upstream's patch for your convenience, but I did not have a deeper look
at the buffer sizes, so it is unchecked.
stable is also affected and would need to be fixed as well I guess.
Please contact the secuirty team (t...@security.debian.org), if you've
checked the patch and have packages ready for lenny.
Thanks in advance.
Cheers
Steffen
References:
[1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/
[2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes
[3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz
[4] http://secunia.com/advisories/38459/
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/ChangeLog gmime-2.4.15/ChangeLog
--- gmime-2.4.14/ChangeLog 2010-01-30 17:28:48.000000000 +0000
+++ gmime-2.4.15/ChangeLog 2010-02-02 13:51:02.000000000 +0000
@@ -1,3 +1,16 @@
+2010-02-02 Jeffrey Stedfast <f...@novell.com>
+
+ * README: Bumped version
+
+ * configure.in: Bumped version to 2.4.15
+
+ * build/vs2008/gmime.vcproj: Bumped version.
+
+2010-01-31 Jeffrey Stedfast <f...@novell.com>
+
+ * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
+ possible buffer overflows.
+
2010-01-30 Jeffrey Stedfast <f...@novell.com>
* README: Bumped version
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/docs/reference/xml/gmime-encodings.xml gmime-2.4.15/docs/reference/xml/gmime-encodings.xml
--- gmime-2.4.14/docs/reference/xml/gmime-encodings.xml 2010-01-30 17:30:37.000000000 +0000
+++ gmime-2.4.15/docs/reference/xml/gmime-encodings.xml 2010-02-02 13:53:42.000000000 +0000
@@ -488,7 +488,7 @@
</para></refsect2>
<refsect2 id="GMIME-UUENCODE-LEN--CAPS" role="macro">
<title>GMIME_UUENCODE_LEN()</title>
-<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62))
+<indexterm zone="GMIME-UUENCODE-LEN--CAPS"><primary sortas="GMIME_UUENCODE_LEN">GMIME_UUENCODE_LEN</primary></indexterm><programlisting>#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 64))
</programlisting>
<para>
Calculates the maximum number of bytes needed to uuencode the full
diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/gmime/gmime-encodings.h gmime-2.4.15/gmime/gmime-encodings.h
--- gmime-2.4.14/gmime/gmime-encodings.h 2009-04-24 02:04:47.000000000 +0000
+++ gmime-2.4.15/gmime/gmime-encodings.h 2010-02-01 13:32:53.000000000 +0000
@@ -91,7 +91,7 @@
* Returns: the number of output bytes needed to uuencode an input
* buffer of size @x.
**/
-#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62))
+#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 64))
/**
--- End Message ---
--- Begin Message ---
Source: gmime2.2
Source-Version: 2.2.25-1.1
We believe that the bug you reported is fixed in the latest version of
gmime2.2, which is due to be installed in the Debian FTP archive:
gmime2.2_2.2.25-1.1.diff.gz
to main/g/gmime2.2/gmime2.2_2.2.25-1.1.diff.gz
gmime2.2_2.2.25-1.1.dsc
to main/g/gmime2.2/gmime2.2_2.2.25-1.1.dsc
libgmime-2.0-2-dev_2.2.25-1.1_i386.deb
to main/g/gmime2.2/libgmime-2.0-2-dev_2.2.25-1.1_i386.deb
libgmime-2.0-2-doc_2.2.25-1.1_all.deb
to main/g/gmime2.2/libgmime-2.0-2-doc_2.2.25-1.1_all.deb
libgmime-2.0-2a_2.2.25-1.1_i386.deb
to main/g/gmime2.2/libgmime-2.0-2a_2.2.25-1.1_i386.deb
libgmime2.2a-cil_2.2.25-1.1_all.deb
to main/g/gmime2.2/libgmime2.2a-cil_2.2.25-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 568...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated gmime2.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 16 Jul 2010 23:22:19 +0200
Source: gmime2.2
Binary: libgmime-2.0-2-dev libgmime-2.0-2-doc libgmime-2.0-2a libgmime2.2a-cil
Architecture: source i386 all
Version: 2.2.25-1.1
Distribution: unstable
Urgency: medium
Maintainer: Mirco Bauer <mee...@debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
libgmime-2.0-2-dev - MIME library - development files
libgmime-2.0-2-doc - MIME library - documentation
libgmime-2.0-2a - MIME library
libgmime2.2a-cil - CLI binding for the MIME library
Closes: 568291
Changes:
gmime2.2 (2.2.25-1.1) unstable; urgency=medium
.
* Non-maintainer upload
* Fix CVE-2010-0409 (Closes: #568291)
Checksums-Sha1:
3880d44091ce76cafd119de9f8ba06d0d1b2d7f9 1574 gmime2.2_2.2.25-1.1.dsc
f5bbc8ead479a85ac446c0bfcf7d3d8203b9dcb1 16157 gmime2.2_2.2.25-1.1.diff.gz
5a128969b472ee64a43e505e6b09c0986b74205b 255652
libgmime-2.0-2-dev_2.2.25-1.1_i386.deb
c1f4080c7461ff27cab15b5fd922e82e3ad084ca 203174
libgmime-2.0-2a_2.2.25-1.1_i386.deb
14e76e029c90505eb88f9d5d8041214d5bccb3fa 187142
libgmime-2.0-2-doc_2.2.25-1.1_all.deb
99951e414f6e4f572ab475e7418386ab30434075 109958
libgmime2.2a-cil_2.2.25-1.1_all.deb
Checksums-Sha256:
5827b9b4f763876f94dcdbc2f1248a7b2c881dbd72b1a4b79a10287a7e54dff6 1574
gmime2.2_2.2.25-1.1.dsc
d9cc0bec857b240349b29ae383e01ffbf8cb725d6c46a439a9d0f4bedbeb76ef 16157
gmime2.2_2.2.25-1.1.diff.gz
89e5199e44e3d695282ca3f6beb36e15539954ae2713a2b92abdffeb6b202c1f 255652
libgmime-2.0-2-dev_2.2.25-1.1_i386.deb
d0057d71129a9995ebe123bcb9401d4585725adb176161c6b6ed634417f954cd 203174
libgmime-2.0-2a_2.2.25-1.1_i386.deb
2c693c106bde5fed3d40b6bcc854b855ef62d20bcb853cd4947319850314f417 187142
libgmime-2.0-2-doc_2.2.25-1.1_all.deb
79d254b9c0599eabfc59f5418eb7f9ff65f4a410a26a44260dd8bf206f339a84 109958
libgmime2.2a-cil_2.2.25-1.1_all.deb
Files:
cbe3a546197c95d066864334c6f8429f 1574 libs optional gmime2.2_2.2.25-1.1.dsc
6cc15d72659efa1d7a70f7f00011e9ac 16157 libs optional
gmime2.2_2.2.25-1.1.diff.gz
131d55e57cea078b1e947841bc8634eb 255652 libdevel optional
libgmime-2.0-2-dev_2.2.25-1.1_i386.deb
5505d5e813f765665ecc1de59545bb82 203174 libs optional
libgmime-2.0-2a_2.2.25-1.1_i386.deb
8175005b76d7aae047384cd9625efedc 187142 doc optional
libgmime-2.0-2-doc_2.2.25-1.1_all.deb
384d4aa094d520079b786a354ae7485e 109958 libs optional
libgmime2.2a-cil_2.2.25-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxPXIAACgkQXm3vHE4uylqfuwCcCjc5OAM4jaYP+Z00cVAHbfVj
3FsAoInDUg0aPkMY6+f0V30jpzkmRZdd
=o8ni
-----END PGP SIGNATURE-----
--- End Message ---
