Ubuntu
sylpheed package

SSL validation problem (or sync Sylpheed from Debian sid)

Bug #1301274 reported by N. W.
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
sylpheed (Ubuntu)
Fix Released
Undecided
Julien Lavergne
Trusty
Fix Released
Undecided
Bartosz Kosiorek

Bug Description

SRU statement :
[Impact]

* Actual sylpheed has 2 major issues :
- Security problem (SSL certificate validation)
- Losing mail using POP3

The problem is that the security fix is separated into several commits, so it's not easy and secure to cheery pick commits, and maybe other commits that could be necessary and not labeled « SSL fix ».

So, the easiest and more secure way to fix this is to take the whole upstream release. It will also fix the other major issue.

Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :

Mac OS X support was improved.
SSL certificate hostname is validated now (#167).
The Japanese manual was modified so that IE correctly detect its character encoding.
The rightmost column of folder view and summary view became easier to resize.
Appropriate columns of folder view, summary view, etc. are auto-expanded by window resize when using GTK+ 2.14 or later.
The initial setup dialog is now resizable.
PGP encrypt-to-self feature was added.
The display period of notification window became configurable.
Win32: OpenSSL was updated to 0.9.8y.
Win32: libpng was updated to 1.2.51.

SSL wildcard certificate is also validated now (#167).
The compile error with OpenSSL disabled was fixed.

This release fixes an important bug that would lose mails when local mailbox was inaccessible on POP3 receiving.

The others fixes are mininal when you compare to the 2 major fixes + the risk to miss something by cherry-picking commits.

[Test Case]
Detail of the security issue is described on the upstream bug tracker : http://sylpheed.sraoss.jp/redmine/issues/167
Since it's a security issue, it's not really easy to reproduce.

Also, details about the lost of email are on upstream bug tracker http://sylpheed.sraoss.jp/redmine/issues/193

[Regression Potential]

I can't see any regressions. The fixes are upstream since quite some time, and there is no new releases fixing again those issues (no I assume the actual fixes are good).

Changelog :
sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium

  * New upstream release
   - Fix SSL validation (LP: #1301274).
   - Fix losing mails when local mailbox is inaccessible on POP3 receiving.

 -- Julien Lavergne <email address hidden> Fri, 16 May 2014 15:29:20 +0200

Debdiff is attached.

Original report :
Hello,

Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4 beta 7:

http://packages.ubuntu.com/trusty/sylpheed

whereas Debian sid has the new Sylpheed 3.4 stable:

https://packages.debian.org/sid/sylpheed

The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4 beta 7 does not have, see:

http://sylpheed.sraoss.jp/redmine/issues/167

So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that it will have the new Sylpheed 3.4 stable as well.

The changelog of Sylpheed is available over there:

http://sylpheed.sraoss.jp/en/news.html

It would be much appreciated.

Regards

See original description
N. W. (nw9165-3201)
information type: Private Security → Public
Revision history for this message
Julien Lavergne (gilir) wrote :

Thanks for your report. I don't think we will be able to update sylpheed in 14.04, however we can include patches from upstream to fix the security issue. I prepared a fixed version, but I don't know how to test it properly. You can found it on https://launchpad.net/~gilir/+archive/updates (currently building).

summary: - Please sync Sylpheed from Debian sid
+ SSL validation problem (or sync Sylpheed from Debian sid)
Revision history for this message
N. W. (nw9165-3201) wrote :

> Julien Lavergne (gilir) wrote on 2014-04-16:
>
> I don't think we will be able to update sylpheed in 14.04

Maybe you want to have a look at this:

http://sylpheed.sraoss.jp/redmine/issues/171

Regards

Marc Deslauriers (mdeslaur)
information type: Public → Public Security
Changed in sylpheed (Ubuntu):
status: New → Incomplete
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message
Julien Lavergne (gilir) wrote :
Changed in sylpheed (Ubuntu):
status: Incomplete → Fix Released
Changed in sylpheed (Ubuntu Trusty):
status: Incomplete → New
description: updated
Julien Lavergne (gilir)
Changed in sylpheed (Ubuntu):
assignee: nobody → Julien Lavergne (gilir)
Revision history for this message
N. W. (nw9165-3201) wrote :

Hello,

> Quote:
>
> [...]
>
> * Actual sylpheed has 2 major issues :
> - Security problem (SSL certificate validation)
> - Losing mail using POP3
>
> [...]

The losing mail issue has not been entirely fixed in Sylpheed 3.4.1.

However, according to Hiroyuki Yamamoto, it has been completely fixed in Sylpheed 3.4.2, which has been released today, see:

http://sylpheed.sraoss.jp/redmine/issues/193
http://sylpheed.sraoss.jp/en/news.html

So, updating to 3.4.1 is not enough. You would have to upgrade to 3.4.2.

Please upgrade to 3.4.2 instead of 3.4.1.

Regards

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello N., or anyone else affected,

Accepted sylpheed into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sylpheed/3.4.1-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sylpheed (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Could somebody using sylpheed confirm the fix there?

Revision history for this message
Julien Lavergne (gilir) wrote :

As this update should fix a security issue, I would be glad if someone from the security team could check this update, to see if the issue is really fixed.
I also ask for people to help in the testing, to validate the SRU.

Revision history for this message
Ichiro Tamagawa (tama-9) wrote :

This is a copy of e-mail to Julien, which reports sylpheed 3.4.1-0ubuntu0.1.
I am very biginner to use this site, please forgive me, if you find something unappropiate.

--
Dear Julien,

  I always appreciate you and other maintainers. Thank you.

 I hope to make some contribute.
 I did the followings;
  * I install sylpheed&sylpheed-plugins 3.4.1-0ubuntu0.1 and trusty-proposed.
  * I checked the mail-losing problem in the following way;
       * set POP account & set erase email from server after 0days (just after reading)
       * change ~/Mail unreadable
       * try to read e-mail by POP from server (of course, error)
       * change ~/Mail readable
       * try to read e-mail again, then got e-mail properly
   So, it seems to work well.

  Last time I met this problem, e-mail lost under very heavy calculation.
 So the test situation is not perfectly same, but may be problem, I hope.

 And also, I kept to use your package from June. I did not meet any problem
 until now.

 For SSL problem, I can not check it.

 So I just send a reporting e-mail.
 Sorry, that's all I can now.

 Best regards,
 Ichiro Tamagawa

Revision history for this message
Lyn Perrine (walterorlin) wrote :

I have also made sure that the new package does not break imap forwarding to gmail. I could not reproduce the loss of mail with new sylpheed. I have set it up with using SSL both times and it seemed to work but am not really qualified to test the encryption.

Revision history for this message
Bartosz Kosiorek (gang65) wrote :

After install it is working perfectly for me.
The certificate checking is also fixed.

Verification done.

Changed in sylpheed (Ubuntu Trusty):
assignee: nobody → Bartosz Kosiorek (gang65)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sylpheed - 3.4.1-0ubuntu0.1

---------------
sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium

  * New upstream release
   - Fix SSL validation (LP: #1301274).
   - Fix losing mails when local mailbox is inaccessible on POP3 receiving.
 -- Julien Lavergne <email address hidden> Sun, 08 Jun 2014 16:17:18 +0200

Changed in sylpheed (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for sylpheed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.