Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:sylpheed User: [email protected] Usertags: pu
[ Reason ] CVE-2021-37746 [ Impact ] The user may click a link that is represented differently in the email viewer. [ Tests ] Just build-tested. [ Risks ] Code is trivial and in claws-mail for a while. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [ ] the issue is verified as fixed in unstable [ Changes ] The link checker protects against more cases where the link target and HTML representation differ, which might be malicious. [ Other info ] This is a non-maintainer upload. The package is gone from unstable so cannot be fixed there upfront.
diff -Nru sylpheed-3.8.0~beta1/debian/changelog sylpheed-3.8.0~beta1/debian/changelog --- sylpheed-3.8.0~beta1/debian/changelog 2024-08-12 17:08:26.000000000 +0200 +++ sylpheed-3.8.0~beta1/debian/changelog 2026-03-09 17:43:38.000000000 +0100 @@ -1,3 +1,10 @@ +sylpheed (3.8.0~beta1-2+deb13u1) trixie; urgency=medium + + * Non-maintainer upload + * Add link check to address CVE-2021-37746 (backport from claws-mail) + + -- Bastian Germann <[email protected]> Mon, 09 Mar 2026 17:43:38 +0100 + sylpheed (3.8.0~beta1-2) unstable; urgency=high * Add patch to fix FTBFS with GCC 14 (Closes: #1075546) diff -Nru sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch --- sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch 1970-01-01 01:00:00.000000000 +0100 +++ sylpheed-3.8.0~beta1/debian/patches/CVE-2021-37746.patch 2026-03-09 17:43:38.000000000 +0100 @@ -0,0 +1,32 @@ +Origin: backport, https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431 +From: Paul <[email protected]> +Date: Sun, 23 May 2021 12:16:40 +0100 +Subject: harden link checker before accepting click + +--- + src/textview.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/textview.c b/src/textview.c +index e55eea9..0ec9f8e 100644 +--- a/src/textview.c ++++ b/src/textview.c +@@ -2689,7 +2689,7 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri) + gboolean retval = TRUE; + + if (is_uri_string(uri->uri) == FALSE) +- return TRUE; ++ return FALSE; + + buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(textview->text)); + gtk_text_buffer_get_iter_at_offset(buffer, &start_iter, uri->start); +@@ -2725,6 +2725,9 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri) + if (aval == G_ALERTDEFAULT) + retval = TRUE; + } ++ if (strlen(uri->uri) > get_uri_len(uri->uri)) ++ retval = FALSE; ++ + + g_free(visible_str); + diff -Nru sylpheed-3.8.0~beta1/debian/patches/series sylpheed-3.8.0~beta1/debian/patches/series --- sylpheed-3.8.0~beta1/debian/patches/series 2024-08-12 17:08:26.000000000 +0200 +++ sylpheed-3.8.0~beta1/debian/patches/series 2026-03-09 17:43:38.000000000 +0100 @@ -11,3 +11,4 @@ 0011-update-.desktop-entry-for-newest-desktop-entry-spec.patch 0012-fix-typo-import.patch 0013-fix-FTBFS-GCC-14.patch +CVE-2021-37746.patch
