Sylpheed POP3 Format String Vulnerability

Thanks for taking the time to report this bug and helping to make Ubuntu better. If someone can prepare (and test) the fixes and attach debdiffs that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd be more than happy to get them uploaded.

Hi,
I could help you with this but dunno exactly what you want? Should I download the latest stable of sylpheed and make a Feisty deb-packet for it? As said there's no patch for this vuln but just an updated version of it.

greets

Since we only do minimal changes for stable releases, one would have to
find and extract only the changes needed to fix the problem, and then
build patched versions of the sylpheed packages, with only those
minimal changes.

Sounds pretty laborious if you are aware that the patch file for this bug (from 2.4.4 to 2.4.5) has around 13000 lines of code that you're having to look through to make this bugfix. Of course just if there was no other change within 2.3.1 in the repos to 2.4.* what makes applying this patch totally impossible and would force you to write a totally new one.

While I'm reading the patchfile there was next to this pop3 format string vuln another format string bug in address completion which has been patched.

So what alternative we have here? Letting a version in the repos which you are totally aware that it is vulnerable and my lead to arbitrary code execution or spending 5min just to take the updated version of 2.4.5.

 greets

On Wed, Sep 05, 2007 at 05:03:25PM -0000, Adna rim wrote:
> So what alternative we have here? Letting a version in the repos which
> you are totally aware that it is vulnerable and my lead to arbitrary
> code execution or spending 5min just to take the updated version of
> 2.4.5.

Agreed; it is a lot of work. That's what makes an upstream easy to work
with or not for doing security updates. You can also check into SRU[1]
but that requires minimal changes too. Perhaps backports[2], once it is
fixed in Gutsy?

[1] https://wiki.ubuntu.com/StableReleaseUpdates
[2] https://wiki.ubuntu.com/BackportRequestProcess

I don't understand why you make it that complicated and hard to fix a security vuln?

I installed the updated-version now from the sources and it worked without any problems..

On Wed, Sep 05, 2007 at 06:16:09PM -0000, Adna rim wrote:
> I don't understand why you make it that complicated and hard to fix a
> security vuln?

The goal is to make sure we don't have any regressions. A stable
release is just that -- a stable release. The people to really look to
are the upstream. All the other distros are in the same boat as us --
they need a minimal patch too, and upstream is in the best position to
provide it.

So what to do now? Who will patch this version for Ubuntu? Other distris have already patched this vuln days ago: http://www.linuxsecurity.com/content/view/129095/102/

If other distros have patched it, they they likely have found a minimal
patch to do it. If someone is willing to extract that patch, and
prepare the debdiffs, I'll be happy to sponsor the uploads. I don't
currently have the time to track them down and test them myself,
unfortunately.

Looking at claws-mail cvs, the actual fix for just the vulnerability appears very small (1 line only); see http://www.claws-mail.org/cvstrak-gtk2.php?section=projects and more specifically http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153

Unfortunately, I myself really don't have time to prepare new packages any time soon, and certainly not four of them. Adna?

yamal was right the bugfix is really simple just this patch file is such big^^ sorry for that but I never had to do with these patch files..

I could track it down in a few minutes. I downloaded the sources of 2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is burried:

$diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c
1367c1367
< alertpanel_error(err_msg);
---
> alertpanel_error("%s", err_msg);

a brighter look at the code:
 if (err_msg) {
  alertpanel_error(err_msg);
  g_free(err_msg);
 }
has been changed to
 if (err_msg) {
  alertpanel_error("%s", err_msg);
  g_free(err_msg);
 }

Now I downloaded here: http://packages.ubuntu.com/feisty/mail/sylpheed the sylpheed_2.3.1.orig.tar.gz and looked there and found exactly the same misstake in this inc.c. Into err_msg , formatstrings can be injected and through that code can be executed. The fixed version solves that by formatting the err_msg input before.

So line 1252 in inc.c needs to be changed to: alertpanel_error("%s", err_msg);

But what now? In this repos directory there is also a http://archive.ubuntu.com/ubuntu/pool/universe/s/sylpheed/sylpheed_2.3.1-1~ubuntu1.diff.gz, what should I do with it? And what are debdiffs? So I know how to patch the sourcecode but what should I do now?

I can also fix the just crashbug in addr_compl.c. Line 340 needs to be changed from address = g_strdup_printf(p->address); to address = g_strdup(p->address); , but do you at all want to have this patched?

greets

Patch to fix sylpheed-claws for DAPPER

Patch to fix sylpheed-claws for EDGY

Patch to fix sylpheed-claws for FEISTY

Hi Cesare Tirabassi,
could you tell me how you did these *.patch files for claws-mail than I will do the patch for sylpheed?

There is no claws-mail for dapper/edgy/feisty

Sylpheed is not affected by this vulnerability

Sylpheed is affected by this vulnerability!! To 100%!! The error is in inc.c line 1252, just take a look at it.

In sylpheed the function is: alertpanel_error(err_msg);

Do you have a reference that this constitute a security vulnerability too?
Without reference this cannot be fixed.

Yes I have many references :D

first reference: my knowledge about formatstring vulns in general. Putting an unsanitized string into a formatting function can be triggerd to execute arbitrary code or reveal memory information which subverts Ubuntus VA. Here you can read a good tutorial about it: http://doc.bughunter.net/format-string/exploit-fs.html .
second reference: the secunia advisorie telling that it is vulnerable http://secunia.com/advisories/26550/
third reference: the sylpheed author telling that it is vulnerable http://sylpheed.sraoss.jp/en/news.html
fourth reference: the codechange by the author in 2.4.5 (which was just a securityfix release) in inc.c, sanitizing the input into alertpanel_error by changing the corresponding code into: alertpanel_error("%s", err_msg);

But now I'm a bit afraid: what did you patch in claws because there the error was exaclty the same and you seem not to recognize it or have a clue about? Are you sure you patched the right code?

Patch to fix sylpheed-claws-gtk2 for DAPPER

(updated, please disregard previous))
Patch to fix sylpheed-claws-gtk2 for DAPPER

Patch to fix sylpheed-claws-gtk2 for EDGY

Patch to fix sylpheed-claws-gtk2 for FEISTY

NOTE:

The above patches:

sylpheed-claws 1.0.5-2ubuntu1 patch (DAPPER)
sylpheed-claws_1.0.5-4build2 patch (EDGY)
sylpheed-claws_1.0.5-5.1ubuntu1 patch (FEISTY)
sylpheed-claws-gtk2_2.1.1-1ubuntu2 patch (DAPPER)
sylpheed-claws-gtk2_2.5.0~rc3-1ubuntu1 patch (EDGY)
sylpheed-claws-gtk2_2.6.0-1.1ubuntu2 patch (FEISTY)

concern the change reported in above comment #10:

https://bugs.launchpad.net/ubuntu/+source/sylpheed-claws-gtk2/+bug/136302/comments/10

Which is the only reliable source reported so far.

There is no mention in your references about the code change. The only valid reference is the one given in comment #10 above, which concerns the function:

alertpanel_error_log

which is used in sylpheed-claws and sylpheed-claws-gtk2

not the function:

alertpanel_error

which is used in sylpheed.

Without a reliable reference (as asked by the security advisor above already) to the code change we cannot proceed.

Sorry, the above sentence should read: "I cannot proceed".
Of course you or somebody else can still propose the change.

Confirmed, sylpheed has this code too.

Again take a look at the differnce between 2.4.4 and 2.4.5 which was just a security fix. The secunia advisorie tells the bug is in inc.c and if you compare the versions 2.4.4 and 2.4.5 you see:

$diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c
1367c1367
< alertpanel_error(err_msg);
---
> alertpanel_error("%s", err_msg);

So the author of sylpheed himself fixed this bug exaclty on this location in this way, so I think that more than a reliable reference and the error in sylpheed is in alertpanel_error and not alertpanel_error_log.

After discussing on IRC, Cesare is going to respin the patches to include the CVE reference, and to adjust the version numbers to follow the SUP (step 4 of https://wiki.ubuntu.com/SecurityUpdateProcedures). Once those are ready, I'll get them all published.

could you please point me to any tutorial,paper or somthing like that how I can make a patch which will be taken by you? https://wiki.ubuntu.com/SecurityUpdateProcedures gives no information about that... It says what information needs to be contained but not any word in which way they should be gathered?

Sure, though it requires a good bit of study, especially managing the in-package patching system. (See "Patching Ubuntu packages"[1] as well as all of "Packaging"[2] in https://wiki.ubuntu.com/UbuntuDevelopment ) I will add links from the SUP page -- good idea!

[1] https://wiki.ubuntu.com/MOTU/School/PatchingSources
[2] https://wiki.ubuntu.com/UbuntuDevelopment#head-86b3c262f4e4b222c867211cb06bb46523c7cc6f

thank you I'll work through them tomorrow it's pretty late now... just one last question I gave [1] a short look now and there are many different patching terms introduced. Which one you want?

Regarding claws-mail: it is affected but exists only in gutsy. Debian already has 3.0.0-1 packaged which includes the fix for this bug.

Attached here below are the 9 patches; they includes the CVE reference and a version number in conformity to the SUP.

Patches for sylpheed-claws and sylpheed-claws-gtk2 change:

alertpanel_error_log(err_msg);

to

alertpanel_error_log("%s", err_msg);

Patches for sylpheed change:

alertpanel_error(err_msg);

to

alertpanel_error("%s", err_msg);

NOTE: there is a bug in cdbs_edit_patch (see bug 137827) which may prevent the correct application of the sylpheed patches in a gutsy environment.

And finally the patch for Gutsy (not a security patch).

claws-mail (2.10.0-3ubuntu3) gutsy; urgency=low

  * Fix format string error that could lead to arbitrary
    code execution (CVE-2007-2958):
    - add debian/patches/12SecurityFixSA26550.patch (LP: #136302)

 -- Cesare Tirabassi <email address hidden> Fri, 07 Sep 2007 00:20:47 +0200

sylpheed-claws-gtk2 (2.6.0-1.1ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: a format string error could lead to arbitrary
    code execution.
  * Add 'debian/patches/13security_2.10.0cvs153.dpatch': add format string to
    alertpanel_error_log() call. Patch from upstream CVS. (Fixes LP: #136302)
  * References
    http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153&view=src/inc.c
    CVE-2007-2958

 -- Cesare Tirabassi <email address hidden> Thu, 06 Sep 2007 18:09:23 +0200

sylpheed-claws (1.0.5-5.1ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: a format string error could lead to arbitrary
    code execution.
  * Add 'debian/patches/14security_2.10.0cvs153.patch': add format string to
    alertpanel_error_log() call. Patch from upstream CVS. (Fixes LP: #136302)
  * References
    http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153&view=src/inc.c
    CVE-2007-2958

 -- Cesare Tirabassi <email address hidden> Thu, 06 Sep 2007 15:27:50 +0200

sylpheed (2.3.1-1~ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: a format string error could lead to arbitrary
    code execution.
  * Add 'debian/patches/06SecurityFixSA26550.diff': add format string to
    alertpanel_error() call. Patch from upstream CVS. (Fixes LP: #136302)
  * References
    http://secunia.com/advisories/26550/
    CVE-2007-2958

 -- Cesare Tirabassi <email address hidden> Thu, 06 Sep 2007 15:27:50 +0200

Sylpheed 2.4.5-1 already contains the fix.
Sylpheed-claws will be removed from the gutsy archive (obsolete)