oss-sec mailing list archives
Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed?
From: cve-assign () mitre org
Date: Thu, 31 Dec 2015 11:21:59 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
In conv_euctojis() the comparison is with outlen - 3, but each pass through the loop uses up to 5 bytes and the rest of the function may add another 4 bytes. The comparison should presumably be '<= outlen - 9' or equivalently '< outlen - 8'.
Use CVE-2015-8708 for this additional issue that exists because of an incomplete fix for CVE-2015-8614. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWhVWsAAoJEL54rhJi8gl583EP/Ar22NETcsAQunMB1xi81oyH vkto+MAV1mgFL/eKrIoE0Khka+hUdF3N5YBF6GvNR2nV6bDigWurxyWpYZirXMp1 R5+SpbjsRoeqck/l7r9laILvZceudpiZwDcM60YQgwHjrUMRp82b/Xix7orIvctj QKqaXvGKr4Uqb8ELOgMoewtcf3PtalLaXFwFzmAlbbVV52QTZlESwWXvVzM4Wde4 BM82WAT+mePcYzc4gt7525D0BXaPglBoqW/eOis22Xk0+26J3aU7MjWU2e9DY+mI xN9UV0qRBUFK1wpmX0NsedzQkE7fFp3J5L1bzlmrVoFjWXEvZRdm8VyF9ql9XcE4 9jH0RKgCh8SWZJxsp1wZ0O7FRWLye2p23Pu+IBl6ZTQBDtfZJhdSpFnvD8b3ozcq JmOuR00HngwYtPjvcwXSz5Uo80XBw7fY/7FUUVpYPioKqbnfyNT8Yqpf+3O5gAKu 15fRQ7/xxeE5RIM8tuXwI1UdguExWcF5EYijrOBtjnm2TamFhgeeDjhNnx7tpyVG FmfOf2mHj8i1OooSnnG2xOzz6jeXZDXC+ILqj0P3ba6NK++vg67V/Ol/ps8Bnvm4 Jt1m3Cl9cHwePC7n49dxPBeNL1mY4B5YJEcuD0fsfA3znnG2ySvhdgguvW7+cTii IlR4SKZFQqONyagYD9Zl =xxDi -----END PGP SIGNATURE-----
Current thread:
- mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? Kurt Seifried (Dec 21)
- Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? cve-assign (Dec 21)
- Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? Ben Hutchings (Dec 30)
- Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? cve-assign (Dec 31)
- Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? Ben Hutchings (Dec 30)
- Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed? cve-assign (Dec 21)