Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-383-1 claws-mail

Debian Security Advisory

DLA-383-1 claws-mail -- LTS security update

Date Reported:

12 Jan 2016

Affected Packages:

claws-mail

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-8614, CVE-2015-8708.

More information:

"DrWhax" of the Tails project reported that Claws Mail is missing range checks in some text conversion functions. A remote attacker could exploit this to run arbitrary code under the account of a user that receives a message from them using Claws Mail.

• CVE-2015-8614

  There were no checks on the output length for conversions between JIS (ISO-2022-JP) and EUC-JP, between JIS and UTF-8, and from Shift_JIS to EUC-JP.

• CVE-2015-8708

  The original fix for CVE-2015-8614 was incomplete.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 3.7.6-4+squeeze2.

For the oldstable distribution (wheezy) and the stable distribution (jessie), this will be fixed soon. These versions were built with hardening features that make this issue harder to exploit.