a brighter look at the code:
if (err_msg) {
alertpanel_error(err_msg);
g_free(err_msg);
}
has been changed to
if (err_msg) {
alertpanel_error("%s", err_msg);
g_free(err_msg);
}
Now I downloaded here: http://packages.ubuntu.com/feisty/mail/sylpheed the sylpheed_2.3.1.orig.tar.gz and looked there and found exactly the same misstake in this inc.c. Into err_msg , formatstrings can be injected and through that code can be executed. The fixed version solves that by formatting the err_msg input before.
So line 1252 in inc.c needs to be changed to: alertpanel_error("%s", err_msg);
I can also fix the just crashbug in addr_compl.c. Line 340 needs to be changed from address = g_strdup_printf(p->address); to address = g_strdup(p->address); , but do you at all want to have this patched?
yamal was right the bugfix is really simple just this patch file is such big^^ sorry for that but I never had to do with these patch files..
I could track it down in a few minutes. I downloaded the sources of 2.4.4 and 2.4.5 and compaired the inc.c where the formatstring is burried:
$diff sylpheed- 2.4.4/src/ inc.c sylpheed- 2.4.5/src/ inc.c error(err_ msg); error(" %s", err_msg);
1367c1367
< alertpanel_
---
> alertpanel_
a brighter look at the code: error(err_ msg); error(" %s", err_msg);
if (err_msg) {
alertpanel_
g_free(err_msg);
}
has been changed to
if (err_msg) {
alertpanel_
g_free(err_msg);
}
Now I downloaded here: http:// packages. ubuntu. com/feisty/ mail/sylpheed the sylpheed_ 2.3.1.orig. tar.gz and looked there and found exactly the same misstake in this inc.c. Into err_msg , formatstrings can be injected and through that code can be executed. The fixed version solves that by formatting the err_msg input before.
So line 1252 in inc.c needs to be changed to: alertpanel_ error(" %s", err_msg);
But what now? In this repos directory there is also a http:// archive. ubuntu. com/ubuntu/ pool/universe/ s/sylpheed/ sylpheed_ 2.3.1-1~ ubuntu1. diff.gz, what should I do with it? And what are debdiffs? So I know how to patch the sourcecode but what should I do now?
I can also fix the just crashbug in addr_compl.c. Line 340 needs to be changed from address = g_strdup_ printf( p->address) ; to address = g_strdup( p->address) ; , but do you at all want to have this patched?
greets