Bug 1110254

Summary: claws-mail: stack-based off-by-one in HTML parsing
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas.bierfert, carnil, jrusnack
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-18 08:28:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110255    
Bug Blocks:    

Description Stefan Cornelius 2014-06-17 10:05:57 UTC 
There's a stack-based off-by-one in Claws Mail's HTML parsing.

NOTE: I've not investigated this properly and currently have no plans to do so. Depending on our stack layout and whether or not stack corruption mitigation is in place, this could be anything from no issue at all to possible code execution. My guess is that this is not really an issue for us, but then again it looks suspicious enough to get this fixed.

It looks like this got introduced with 3.10.0 and was fixed in 3.10.1. F20 ships 3.10.0, for F19 3.10.0 is only in updates-testing.

References:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3201
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=5f52f113ac9fd054f10752febbfac340c38cddbe
Comment 1 Stefan Cornelius 2014-06-17 10:07:15 UTC 
Created claws-mail tracking bugs for this issue:

Affects: fedora-all [bug 1110255]
Comment 2 Andreas Bierfert 2014-06-20 14:44:26 UTC 
Thanks for providing the patch!
Comment 3 Andreas Bierfert 2014-06-20 14:45:24 UTC 
Ups wrong bug...