Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Dec 2015 03:16:33 +0000
From: Ben Hutchings <>
Subject: Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed?

On Mon, 2015-12-21 at 21:31 -0500, wrote:
> >
> >
> > > So in codeconv.c there is a function for japanese character set
> > > conversion called conv_jistoeuc(). There is no bounds checking on the
> > > output buffer, which is created on the stack with alloca().
> > >;a=commit;h=d390fa07f5548f3173dd9cc13b233db5ce934c82
> > > 
> > > conv_jistoeuc
> > > conv_euctojis
> > > conv_sjistoeuc
> The original discoverer found a conv_jistoeuc issue, and then the
> vendor apparently also found conv_euctojis and conv_sjistoeuc issues.
> However, we don't see an indication that these issues arose in
> independent ways. (Also, there is no vendor statement that
> conv_euctojis or conv_sjistoeuc is exploitable.) It seems best to
> assign CVE-2015-8614 to the combination of the conv_jistoeuc,
> conv_euctojis, and conv_sjistoeuc issues.

Note that two of the bounds checks added in that commit are incorrect:

1. In conv_jistoeuc() the check uses > rather than <, which causes all
   conversions to return an empty string.  This is presumably not a
   security issue, but is a regression.

3. In conv_euctojis() the comparison is with outlen - 3, but each pass
   through the loop uses up to 5 bytes and the rest of the function may
   add another 4 bytes.  The comparison should presumably be 
   '<= outlen - 9' or equivalently '< outlen - 8'.

The first check is fixed by a later commit:;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222


Ben Hutchings
All the simple programs have been written, and all the good names taken.
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ