Debian Bug report logs - #653238
alpine vulnerable to CVE-2008-5514

version graph

Package: alpine; Maintainer for alpine is Asheesh Laroia <asheesh@asheesh.org>; Source for alpine is src:alpine (PTS, buildd, popcon).

Reported by: Jonathan Sailor <jsailor@cs.brown.edu>

Date: Sun, 25 Dec 2011 19:00:02 UTC

Severity: important

Tags: security

Found in version alpine/2.00+dfsg-6

Fixed in versions alpine/2.02-1, alpine/2.00+dfsg-6+squeeze1

Done: Asheesh Laroia <asheesh@asheesh.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Asheesh Laroia <asheesh@asheesh.org>:
Bug#653238; Package alpine. (Sun, 25 Dec 2011 19:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Sailor <jsailor@cs.brown.edu>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Asheesh Laroia <asheesh@asheesh.org>. (Sun, 25 Dec 2011 19:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Sailor <jsailor@cs.brown.edu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: alpine vulnerable to CVE-2008-5514
Date: Sun, 25 Dec 2011 13:50:43 -0500
Package: alpine
Version: 2.00+dfsg-6
Severity: grave
Tags: security
Justification: user security hole

The alpine package does not include a fix for CVE-2008-5514.

Vulnerable: lenny lenny-backports squeeze
Fixed in upstream: wheezy sid

The patch is available at [1]. Note since that version is written for
uw-imap, the path to rfc822.c is imap/src/c-client/rfc822.c.

 [1] http://people.debian.org/~nion/nmu-diff/uw-imap-2007b~dfsg-1_2007b~dfsg-1.1.patch

~jon.


-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (750, 'stable'), (70, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages alpine depends on:
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libncurses5         5.7+20100313-5       shared libraries for terminal hand
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libssl0.9.8         0.9.8o-4squeeze4     SSL shared libraries

alpine recommends no packages.

Versions of packages alpine suggests:
ii  aspell                  0.60.6-4         GNU Aspell spell-checker
ii  postfix [mail-transport 2.7.1-1+squeeze1 High-performance mail transport ag

-- debconf-show failed

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#653238; Package alpine. (Mon, 26 Dec 2011 16:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Asheesh Laroia <asheesh@asheesh.org>:
Extra info received and forwarded to list. (Mon, 26 Dec 2011 16:33:05 GMT) (full text, mbox, link).

Message #10 received at 653238@bugs.debian.org (full text, mbox, reply):

From: Asheesh Laroia <asheesh@asheesh.org>
To: Jonathan Sailor <jsailor@cs.brown.edu>,653238@bugs.debian.org
Subject: Re: Bug#653238: alpine vulnerable to CVE-2008-5514
Date: Mon, 26 Dec 2011 11:20:25 -0500
[Message part 1 (text/plain, inline)]
Thanks for reporting this. I will investigate shortly and work with the appropriate security teams to ship an update as needed.
-- 
Please excuse my brevity.

Jonathan Sailor <jsailor@cs.brown.edu> wrote:

Package: alpine
Version: 2.00+dfsg-6
Severity: grave
Tags: security
Justification: user security hole

The alpine package does not include a fix for CVE-2008-5514.

Vulnerable: lenny lenny-backports squeeze
Fixed in upstream: wheezy sid

The patch is available at [1]. Note since that version is written for
uw-imap, the path to rfc822.c is imap/src/c-client/rfc822.c.

[1] http://people.debian.org/~nion/nmu-diff/uw-imap-2007b~dfsg-1_2007b~dfsg-1.1.patch

~jon.


-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (750, 'stable'), (70, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages alpine depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8o-4squeeze4 SSL shared libraries

alpine recommends no packages.

Versions of packages alpine suggests:
ii aspell 0.60.6-4 GNU Aspell spell-checker
ii postfix [mail-transport 2.7.1-1+squeeze1 High-performance mail transport ag

-- debconf-show failed



[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Asheesh Laroia <asheesh@asheesh.org>:
Bug#653238; Package alpine. (Tue, 27 Dec 2011 18:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Asheesh Laroia <asheesh@asheesh.org>. (Tue, 27 Dec 2011 18:33:03 GMT) (full text, mbox, link).

Message #15 received at 653238@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: 653238@bugs.debian.org
Subject: Re: Bug#653238: alpine vulnerable to CVE-2008-5514
Date: Tue, 27 Dec 2011 19:30:57 +0100
[Message part 1 (text/plain, inline)]
Hi Jonathan,

Op zondag 25 december 2011 19:50:43 schreef Jonathan Sailor:
> Package: alpine
> Version: 2.00+dfsg-6
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> The alpine package does not include a fix for CVE-2008-5514.
> 
> Vulnerable: lenny lenny-backports squeeze
> Fixed in upstream: wheezy sid
> 
> The patch is available at [1]. Note since that version is written for
> uw-imap, the path to rfc822.c is imap/src/c-client/rfc822.c.

Thanks for reporting this. I've noted this in the security tracker.

We've issued a DSA for this for uw-imap, but for alpine I think the problem is 
of a different order. A denial of service in server software is different than 
simply an email client crashing - the latter is more a regular bug than a 
security issue. We will not be issuing a DSA for this, but you/the maintainer 
may choose to fix it in (old)stable through a point update, or leave it at 
this.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'grave' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 27 Dec 2011 18:39:07 GMT) (full text, mbox, link).

Reply sent to Asheesh Laroia <asheesh@asheesh.org>:
You have taken responsibility. (Wed, 29 Aug 2012 12:21:04 GMT) (full text, mbox, link).

Notification sent to Jonathan Sailor <jsailor@cs.brown.edu>:
Bug acknowledged by developer. (Wed, 29 Aug 2012 12:21:04 GMT) (full text, mbox, link).

Message #22 received at 653238-close@bugs.debian.org (full text, mbox, reply):

From: Asheesh Laroia <asheesh@asheesh.org>
To: 653238-close@bugs.debian.org
Subject: Bug#653238: fixed in alpine 2.00+dfsg-6+squeeze1
Date: Wed, 29 Aug 2012 12:17:04 +0000
Source: alpine
Source-Version: 2.00+dfsg-6+squeeze1

We believe that the bug you reported is fixed in the latest version of
alpine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 653238@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Asheesh Laroia <asheesh@asheesh.org> (supplier of updated alpine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Aug 2012 16:58:01 -0700
Source: alpine
Binary: alpine alpine-dbg alpine-pico pilot
Architecture: source amd64
Version: 2.00+dfsg-6+squeeze1
Distribution: squeeze
Urgency: low
Maintainer: Asheesh Laroia <asheesh@asheesh.org>
Changed-By: Asheesh Laroia <asheesh@asheesh.org>
Description: 
 alpine     - Text-based email client, friendly for novices but powerful
 alpine-dbg - Text-based email client's debugging symbols
 alpine-pico - Simple text editor from Alpine, a text-based email client
 pilot      - Simple file browser from Alpine, a text-based email client
Closes: 653238
Changes: 
 alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low
 .
   * Fix a crash in the embedded copy of UW-IMAP, CVE-2008-5514.
     (Closes: #653238)
Checksums-Sha1: 
 fda33d41b6c4b1288c9d294ed452c3448f898855 1460 alpine_2.00+dfsg-6+squeeze1.dsc
 6dc26814d9b9f4a3c26edb468fb6538968c43627 12895 alpine_2.00+dfsg-6+squeeze1.diff.gz
 1159842baf37122bcb83a824ba836c44d40711a2 3047662 alpine_2.00+dfsg-6+squeeze1_amd64.deb
 ad9b6191e261c5531e9e2d978b1ec97d673b7279 3692658 alpine-dbg_2.00+dfsg-6+squeeze1_amd64.deb
 98699752e6bf780136527a4755db88d055e4f514 391786 alpine-pico_2.00+dfsg-6+squeeze1_amd64.deb
 c2b8e668e01aab3ffb8f7d8cfc342394256511ed 388764 pilot_2.00+dfsg-6+squeeze1_amd64.deb
Checksums-Sha256: 
 b3e4da79b8fb6771f134a2ff57553f5fd38ceaa94702523efe313b9ddcd1fb9f 1460 alpine_2.00+dfsg-6+squeeze1.dsc
 dfe279a6c78a0dc33d2375ae827f62c6309ef63d423d9559adab4631980cf5f0 12895 alpine_2.00+dfsg-6+squeeze1.diff.gz
 0e7208d741bc08d254d5e4f4031e5b33a015c02756adef94b5ac42ca40bae9cd 3047662 alpine_2.00+dfsg-6+squeeze1_amd64.deb
 b6413a837b34f4d799e3b86520c52f954269ed1fa3c0f18ef250d407910764fd 3692658 alpine-dbg_2.00+dfsg-6+squeeze1_amd64.deb
 53f24dd5041d13cdf95e4a659fa7d11ae06b83755c232c99a738aedde4f3ccbf 391786 alpine-pico_2.00+dfsg-6+squeeze1_amd64.deb
 83472c9a6653c6a1438465ef1b14328edc93af63039e9237d26fe518cf37f649 388764 pilot_2.00+dfsg-6+squeeze1_amd64.deb
Files: 
 224f7b03b209ad74ada3f5a849a9eea1 1460 mail optional alpine_2.00+dfsg-6+squeeze1.dsc
 1dcab08e76f768bfba40dcf87cf1305e 12895 mail optional alpine_2.00+dfsg-6+squeeze1.diff.gz
 4da25d54803d9346561c690a75779914 3047662 mail optional alpine_2.00+dfsg-6+squeeze1_amd64.deb
 027b3df707ca1538612dfeeec8f3e651 3692658 debug extra alpine-dbg_2.00+dfsg-6+squeeze1_amd64.deb
 38e7ccc4a731abf49a6319f0ed443edb 391786 editors extra alpine-pico_2.00+dfsg-6+squeeze1_amd64.deb
 1d5e74341d1542d0bd785e84ddd0db83 388764 utils optional pilot_2.00+dfsg-6+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlA8bmsACgkQN+HBdXAJatFS6wCfXWd2RJT68mskk8LSrXkAIXEn
0O0Anj3lk63U+/cAFQw7EFqTmp7x6t2Q
=3dhi
-----END PGP SIGNATURE-----

Marked as fixed in versions alpine/2.02-1. Request was from Asheesh Laroia <asheesh@asheesh.org> to control@bugs.debian.org. (Wed, 29 Aug 2012 15:27:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Sep 2012 07:26:24 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Sep 28 14:35:47 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.