Comment 11 for bug 136302

yamal was right the bugfix is really simple just this patch file is such big^^ sorry for that but I never had to do with these patch files..

I could track it down in a few minutes. I downloaded the sources of 2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is burried:

$diff sylpheed-2.4.4/src/inc.c sylpheed-2.4.5/src/inc.c
1367c1367
< alertpanel_error(err_msg);
---
> alertpanel_error("%s", err_msg);

a brighter look at the code:
 if (err_msg) {
  alertpanel_error(err_msg);
  g_free(err_msg);
 }
has been changed to
 if (err_msg) {
  alertpanel_error("%s", err_msg);
  g_free(err_msg);
 }

Now I downloaded here: http://packages.ubuntu.com/feisty/mail/sylpheed the sylpheed_2.3.1.orig.tar.gz and looked there and found exactly the same misstake in this inc.c. Into err_msg , formatstrings can be injected and through that code can be executed. The fixed version solves that by formatting the err_msg input before.

So line 1252 in inc.c needs to be changed to: alertpanel_error("%s", err_msg);

But what now? In this repos directory there is also a http://archive.ubuntu.com/ubuntu/pool/universe/s/sylpheed/sylpheed_2.3.1-1~ubuntu1.diff.gz, what should I do with it? And what are debdiffs? So I know how to patch the sourcecode but what should I do now?

I can also fix the just crashbug in addr_compl.c. Line 340 needs to be changed from address = g_strdup_printf(p->address); to address = g_strdup(p->address); , but do you at all want to have this patched?

greets