GLSA-200511-13 : Sylpheed, Sylpheed-Claws: Buffer overflow in LDIF importer

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200511-13
(Sylpheed, Sylpheed-Claws: Buffer overflow in LDIF importer)

Colin Leroy reported buffer overflow vulnerabilities in Sylpheed
and Sylpheed-Claws. The LDIF importer uses a fixed length buffer to
store data of variable length. Two similar problems exist also in the
Mutt and Pine addressbook importers of Sylpheed-Claws.

Impact :

By convincing a user to import a specially-crafted LDIF file into
the address book, a remote attacker could cause the program to crash,
potentially allowing the execution of arbitrary code with the
privileges of the user running the software.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-200511-13.xml

Solution :

All Sylpheed users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=mail-client/sylpheed-2.0.4'
All Sylpheed-Claws users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=mail-client/sylpheed-claws-1.0.5-r1'

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 20234 (gentoo_GLSA-200511-13.nasl)

Bugtraq ID:

CVE ID: CVE-2005-3354