Arch Linux: ASA-201512-13 High: Claws Mail Remote Code Execution

Arch Linux Security Advisory ASA-201512-13
=========================================
Severity: High
Date    : 2015-12-22
CVE-ID  : CVE-2015-8614
Package : claws-mail
Type    : buffer overflow
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package claws-mail before version 3.13.1-1 is vulnerable to a
remotely triggerable buffer overflow.

Resolution
=========
Upgrade to 3.13.1-1.

# pacman -Syu "claws-mail>=3.13.1-1"

The problem has been fixed upstream in version 3.13.1.

Workaround
=========
None.

Description
==========
A remotely triggerable buffer overflow has been found in the code of
claws-mail handling character conversion, in functions conv_jistoeuc(),
 conv_euctojis() and conv_sjistoeuc(), in codeconv.c.
There was no bounds checking on buffers passed to these functions, some
stack-based but other potentially heap-based.
This issue has been located in the wild and might currently be exploited.

Impact
=====
A remote attacker might be able to execute arbitrary code on the
affected host by sending a crafted e-mail to a clasw-mail user.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8614