Debian Bug report logs - #991722
claws-mail: CVE-2021-37746

version graph

Package: src:claws-mail; Maintainer for src:claws-mail is Ricardo Mones <mones@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 30 Jul 2021 20:33:01 UTC

Severity: important

Tags: confirmed, fixed-upstream, security, upstream

Found in versions claws-mail/3.17.8-1, claws-mail/3.17.3-2

Fixed in version claws-mail/3.18.0-1

Done: Ricardo Mones <mones@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Ricardo Mones <mones@debian.org>:
Bug#991722; Package src:claws-mail. (Fri, 30 Jul 2021 20:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Ricardo Mones <mones@debian.org>. (Fri, 30 Jul 2021 20:33:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: claws-mail: CVE-2021-37746
Date: Fri, 30 Jul 2021 22:31:07 +0200
Source: claws-mail
Version: 3.17.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 sylpheed 3.7.0-8
Control: retitle -2 sylpheed: CVE-2021-37746
Control: found -1 3.17.3-2
Control: found -2 3.7.0-4

Hi,

The following vulnerability was published for claws-mail (and
sylpheed).

CVE-2021-37746[0]:
| textview_uri_security_check in textview.c in Claws Mail before 3.18.0,
| and Sylpheed through 3.7.0, does not have sufficient link checks
| before accepting a click.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-37746
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37746
[1] https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431

Regards,
Salvatore

Bug 991722 cloned as bug 991723 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 30 Jul 2021 20:33:03 GMT) (full text, mbox, link).

Marked as found in versions claws-mail/3.17.3-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 30 Jul 2021 20:33:05 GMT) (full text, mbox, link).

Added tag(s) pending, confirmed, and fixed-upstream. Request was from Ricardo Mones <mones@debian.org> to control@bugs.debian.org. (Sat, 04 Sep 2021 11:03:04 GMT) (full text, mbox, link).

Reply sent to Ricardo Mones <mones@debian.org>:
You have taken responsibility. (Sun, 05 Sep 2021 00:39:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 05 Sep 2021 00:39:09 GMT) (full text, mbox, link).

Message #16 received at 991722-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 991722-close@bugs.debian.org
Subject: Bug#991722: fixed in claws-mail 3.18.0-1
Date: Sun, 05 Sep 2021 00:34:01 +0000
Source: claws-mail
Source-Version: 3.18.0-1
Done: Ricardo Mones <mones@debian.org>

We believe that the bug you reported is fixed in the latest version of
claws-mail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated claws-mail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 05 Sep 2021 01:51:51 +0200
Source: claws-mail
Architecture: source
Version: 3.18.0-1
Distribution: unstable
Urgency: medium
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Closes: 983778 985027 991722
Changes:
 claws-mail (3.18.0-1) unstable; urgency=medium
 .
   * New upstream version 3.18.0
   - Includes fix for CVE-2021-37746 (Closes: #991722)
   - Fixes "Segfault on selecting empty 'X-Face'…" (Closes: #983778)
   * Re-enable NetworkManager support (Closes: #985027)
   * Add upstream metadata
Checksums-Sha1:
 5c2a1d46144ac0afecd7b32874b7aa6dfc8ebfe4 5254 claws-mail_3.18.0-1.dsc
 bacec099018d77268f60ea27b4bd22bfdd051093 6517632 claws-mail_3.18.0.orig.tar.xz
 959818c1e6dd0ba146f82855a2f8d4e3d21e3f35 833 claws-mail_3.18.0.orig.tar.xz.asc
 dd313b15f2dc05164633e91e72e69910f457c312 38484 claws-mail_3.18.0-1.debian.tar.xz
 3396fc19d9a06686287505404a1b230ce4c80361 39737 claws-mail_3.18.0-1_amd64.buildinfo
Checksums-Sha256:
 cc9cd74949a6fbc224f8394dab860c2666e4e56fe9dce3dd3ca75a1e8bc96dd5 5254 claws-mail_3.18.0-1.dsc
 cb5819e66b4bb3bbd44eb79c58f516a932389367a7900554321c24b509ece6bb 6517632 claws-mail_3.18.0.orig.tar.xz
 b5d56c10a1ec8385881412d8676c3c4aa5df493ff76f44282d360c0f0626711f 833 claws-mail_3.18.0.orig.tar.xz.asc
 953e7d59fa9bf534756a81fc1e40eb9f40ec664f633a3645aa51e70b7dde02eb 38484 claws-mail_3.18.0-1.debian.tar.xz
 0673a4ac66fa5dd7d5b0c9bc5f99cfa40eab00ac77a79ff5a4236093ea31aed0 39737 claws-mail_3.18.0-1_amd64.buildinfo
Files:
 d32bed038e6e3c5b209ea71f65a52396 5254 mail optional claws-mail_3.18.0-1.dsc
 00be9ced9c22a987f50d5a3e03dfe1ff 6517632 mail optional claws-mail_3.18.0.orig.tar.xz
 fe2af9aec884236369d85c83a016dbb2 833 mail optional claws-mail_3.18.0.orig.tar.xz.asc
 b2834f0b5d4ac8743febae5c586b883a 38484 mail optional claws-mail_3.18.0-1.debian.tar.xz
 12de10490f473374c77dbef5b0b71f45 39737 mail optional claws-mail_3.18.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEQ7w2SxbfDCBevXWSHw8KiN5bzKYFAmE0CpQACgkQHw8KiN5b
zKYi+hAAhdkdE+4PouDit8D8AMoFkTciXiIAsjO+5t6lzRxqdsOpsXuQaUrey8O5
6LOdy41CIhKXUhWWpsja7qKY7zJxmtc2vIwsZPzkQFzEBLFskAJIshpQEqkozo/8
dQlyddmXSfLLpuAwLJhbH9Ttoo2SEkSp2I0J2kPOHnimKnpSf3FCXs8fdxuBtNqw
eQp+0ZeHk5NdXZ2X+kE/umS1NNsKl1/31HMoiioN+otEfncbltEOKLvkbjvcunCw
fcpW10RyOKOyittP64dnE7ljriDBYmdYuNh3gIQ33suD3qRGvOBBj/29I1uauoz1
wvoWze+xXwB04RwAyj95u+9yJyCB2IxfTWaoR3EVqofA73ww7lI7irQjB2+l1CaC
8MxNt6XqB96GYqKEIyl5flst7ZVjcMjLU/fgaE+dFGoHT2ptzBfq8DpE7VrRYyWB
ch416Ec+T7oW6sJ3u2SCtfzfBb3L7R5ifMaN8P9u2H7PuqvqnMPLTlEp3huBtIV4
w15Ijd0v8zMHTVMF50q6Z5N9isgzZ4qDXfTZP44FXRJGYzwYw3uGZpQXZ+q4IwI6
AX59WILrp0+PcF/vqkNVpyOC/Ot2Z29iGPK2cPW7Yopp+f4sPCbhcTHYkKfH2CHj
xrRttSZVUoWUNmhde3fQDOVNmjCFGxHtOmT5bf71O8FUikzKobM=
=Gygp
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Oct 2021 07:25:20 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Nov 3 08:23:32 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.