Debian Bug report logs - #960159
libgmime-3.0-0: DoS fixes available upstream

version graph

Package: libgmime-3.0-0; Maintainer for libgmime-3.0-0 is Daniel Kahn Gillmor <dkg@fifthhorseman.net>; Source for libgmime-3.0-0 is src:gmime (PTS, buildd, popcon).

Reported by: gmime user <gmime-user@80x24.org>

Date: Sun, 10 May 2020 02:27:04 UTC

Severity: important

Tags: security, upstream

Found in version gmime/3.2.1-1

Fixed in version gmime/3.2.6-1

Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#960159; Package libgmime-3.0-0. (Sun, 10 May 2020 02:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to gmime user <gmime-user@80x24.org>:
New Bug report received and forwarded. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>. (Sun, 10 May 2020 02:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: gmime user <gmime-user@80x24.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libgmime-3.0-0: DoS fixes available upstream
Date: Sun, 10 May 2020 02:16:25 +0000
Package: libgmime-3.0-0
Version: 3.2.1-1
Severity: important
Tags: upstream, security

gmime 3.2.5+ is needed to fix deep recursion and stack overflows

Excessive parts and CPU cycles needs
commit 53449a25fa46e6a0333d1919ee4f3778c1789d53
in https://github.com/jstedfast/gmime.git
No release as of 3.2.7 has that, yet.

I expect there's also old gmime-2.x packages affected,
but don't have time/energy to check myself.

Marked as fixed in versions gmime/3.2.6-1. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Wed, 29 Sep 2021 03:21:02 GMT) (full text, mbox, link).

Marked Bug as done Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Wed, 29 Sep 2021 03:21:02 GMT) (full text, mbox, link).

Notification sent to gmime user <gmime-user@80x24.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2021 03:21:03 GMT) (full text, mbox, link).

Message sent on to gmime user <gmime-user@80x24.org>:
Bug#960159. (Wed, 29 Sep 2021 03:33:02 GMT) (full text, mbox, link).

Message #14 received at 960159-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: control@bugs.debian.org
Cc: 960159-submitter@bugs.debian.org
Subject: closing 960159
Date: Tue, 28 Sep 2021 22:37:45 -0400
close 960159 3.2.6-1
thanks

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Oct 2021 07:27:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jun 13 10:28:19 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.