[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 383-1] claws-mail security update



Package        : claws-mail
Version        : 3.7.6-4+squeeze2
CVE ID         : CVE-2015-8614 CVE-2015-8708

"DrWhax" of the Tails project reported that Claws Mail is missing
range checks in some text conversion functions.  A remote attacker
could exploit this to run arbitrary code under the account of a user
that receives a message from them using Claws Mail.

CVE-2015-8614

    There were no checks on the output length for conversions between
    JIS (ISO-2022-JP) and EUC-JP, between JIS and UTF-8, and from
    Shift_JIS to EUC-JP.

CVE-2015-8708

    The original fix for CVE-2015-8614 was incomplete.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 3.7.6-4+squeeze2.

For the oldstable distribution (wheezy) and the stable distribution
(jessie), this will be fixed soon.  These versions were built with
hardening features that make this issue harder to exploit.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams


Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: