Ubuntu
sympa package

[CVE-2008-1648] denial of service via crafted Content-Type header

  1. Dapper (6.06)
  2. Bug #216591
Bug #216591 reported by William Grant
256
Affects Status Importance Assigned to Milestone
sympa (Debian)
Fix Released
Unknown
sympa (Ubuntu)
Fix Released
High
Emanuele Gentili
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Medium
Emanuele Gentili
Hardy
Fix Released
High
Emanuele Gentili

Bug Description

Binary package hint: sympa

It's likely that all releases are affected.

CVE-2008-1648:
"Sympa before 5.4 allows remote attackers to cause a denial of service (daemon crash) via an e-mail message with a malformed value of the Content-Type header and unspecified other headers. NOTE: some of these details are obtained from third party information."

William Grant (wgrant)
Changed in sympa:
importance: Undecided → High
status: New → Confirmed
status: New → Confirmed
William Grant (wgrant)
Changed in sympa:
status: New → Confirmed
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in sympa:
assignee: nobody → emgent
status: Confirmed → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :

ubuntu-universe-sponsor subscribed for hardy upload.

Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in sympa:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

motu-release ack for Hardy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sympa - 5.3.4-2ubuntu2

---------------
sympa (5.3.4-2ubuntu2) hardy; urgency=low

  * SECURITY UPDATE: (LP: #216591)
   + fixed src/PlainDigest.pm inline
    - Sympa before 5.4 allows remote attackers to cause a denial of
      service (daemon crash) via an e-mail message with a malformed
      value of the Content-Type header and unspecified other headers.
      NOTE: some of these details are obtained from third party
      information.
  * References
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1648
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475163

 -- Emanuele Gentili <email address hidden> Mon, 14 Apr 2008 08:44:38 +0200

Changed in sympa:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sympa:
status: Unknown → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in sympa:
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the gutsy debdiff! Can you post your testing for gutsy? Once that is done I can push these out.

Revision history for this message
Emanuele Gentili (emgent) wrote :

Fix synced by debian.

POC available here:
http://sourcesup.cru.fr/tracker/?func=detail&group_id=23&aid=3702&atid=167

Tested on gutsy x86.

Jamie Strandboge (jdstrand)
Changed in sympa:
status: In Progress → Fix Released
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Daniel T Chen (crimsun)
Changed in sympa:
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in sympa (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.