Debian DLA-383-1 : claws-mail security update

high Nessus Plugin ID 87884

Synopsis

The remote Debian host is missing a security update.

Description

'DrWhax' of the Tails project reported that Claws Mail is missing range checks in some text conversion functions. A remote attacker could exploit this to run arbitrary code under the account of a user that receives a message from them using Claws Mail.

CVE-2015-8614

There were no checks on the output length for conversions between JIS (ISO-2022-JP) and EUC-JP, between JIS and UTF-8, and from Shift_JIS to EUC-JP.

CVE-2015-8708

The original fix for CVE-2015-8614 was incomplete.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 3.7.6-4+squeeze2.

For the oldstable distribution (wheezy) and the stable distribution (jessie), this will be fixed soon. These versions were built with hardening features that make this issue harder to exploit.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected claws-mail package.

See Also

https://lists.debian.org/debian-lts-announce/2016/01/msg00007.html

Plugin Details

Severity: High

ID: 87884

File Name: debian_DLA-383.nasl

Version: 1.11

Type: local

Agent: unix

Published: 1/13/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:claws-mail, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/12/2016

Reference Information

CVE: CVE-2015-8614, CVE-2015-8708