Bug#690277: unblock: claws-mail/3.8.1-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package claws-mail
This upload fixes CVE-2012-4507 (bug #690151) and includes
backported patches for 3 segfaults discovered after 3.8.1
release. Debdiff attached.
thanks in advance,
unblock claws-mail/3.8.1-2
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-3.8.1/debian/changelog claws-mail-3.8.1/debian/changelog
--- claws-mail-3.8.1/debian/changelog 2012-06-28 01:28:06.000000000 +0200
+++ claws-mail-3.8.1/debian/changelog 2012-10-12 00:13:21.000000000 +0200
@@ -1,3 +1,16 @@
+claws-mail (3.8.1-2) unstable; urgency=medium
+
+ * patches/99_fix_CVE-2012-4507.patch
+ - Added fix for CVE-2012-4507 from 3.8.1cvs82 (Closes: #690151),
+ raised urgency because of grave bug
+ * patches/98_fix_segfault_no_utf_gpgme_strerror.patch,
+ patches/97_fix_segfault_parse_parameters.patch,
+ patches/96_fix_segfault_viewing_signature_info.patch
+ - Backported patches from upstream CVS fixing segfaults discovered
+ after 3.8.1 release
+
+ -- Ricardo Mones <mones@debian.org> Fri, 12 Oct 2012 00:04:03 +0200
+
claws-mail (3.8.1-1) unstable; urgency=low
* New upstream release
diff -Nru claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch
--- claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch 2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,17 @@
+Subject: fix segfault viewing PGP/SMIME signature information
+From: Ricardo Mones <ricardo@mones.org>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2689
+Applied-Upstream: 3.8.1cvs12
+
+diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c
+--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c 2012-06-27 11:05:23.000000000 +0200
++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c 2012-10-11 23:34:46.000000000 +0200
+@@ -326,7 +326,7 @@ gchar *sgpgme_sigstat_info_full(gpgme_ct
+ j++;
+ user = user->next;
+ }
+- g_string_append_printf(siginfo,
++ g_string_append(siginfo,
+ _("Primary key fingerprint:"));
+ const char* primary_fpr = NULL;
+ if (key && key->subkeys && key->subkeys->fpr)
diff -Nru claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch
--- claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch 2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,17 @@
+Subject: fix segfault in parse_parameters() for some attachments
+From: Mikhail Efremov <mikhefr@gmail.com>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2697
+Applied-Upstream: 3.8.1cvs15
+
+diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c
+--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.000000000 +0200
++++ claws-mail-3.8.1/src/procmime.c 2012-10-11 23:15:23.000000000 +0200
+@@ -1704,7 +1704,7 @@ static void parse_parameters(const gchar
+ (g_slist_find_custom(concatlist, down_attr, g_strcmp0) == NULL))
+ concatlist = g_slist_prepend(concatlist, g_strdup(tmpattr));
+
+- if (convert && (g_slist_find_custom(convlist, down_attr, g_strcmp0) == NULL))
++ if (convert && (g_slist_find_custom(convlist, tmpattr, g_strcmp0) == NULL))
+ convlist = g_slist_prepend(convlist, g_strdup(tmpattr));
+
+ g_free(tmpattr);
diff -Nru claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch
--- claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch 2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,47 @@
+Subject: fix segfault when gpgme_strerror() returns a non UTF-8 string
+From: Colin Leroy <colin@colino.net>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2650
+Applied-Upstream: 3.8.1cvs41
+
+diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c
+--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c 2012-06-27 11:05:23.000000000 +0200
++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c 2012-10-11 23:04:52.000000000 +0200
+@@ -610,13 +610,36 @@ bail:
+
+ void sgpgme_init()
+ {
++ gchar *ctype_locale = NULL, *messages_locale = NULL;
++ gchar *ctype_utf8_locale = NULL, *messages_utf8_locale = NULL;
++
+ gpgme_engine_info_t engineInfo;
+ if (gpgme_check_version("1.0.0")) {
+ #ifdef LC_CTYPE
+- gpgme_set_locale(NULL, LC_CTYPE, setlocale(LC_CTYPE, NULL));
++ ctype_locale = g_strdup(setlocale(LC_CTYPE, NULL));
++ if (strchr(ctype_locale, '.'))
++ *(strchr(ctype_locale, '.')) = '\0';
++ else if (strchr(ctype_locale, '@'))
++ *(strchr(ctype_locale, '@')) = '\0';
++ ctype_utf8_locale = g_strconcat(ctype_locale, ".UTF-8", NULL);
++
++ gpgme_set_locale(NULL, LC_CTYPE, ctype_utf8_locale);
++
++ g_free(ctype_utf8_locale);
++ g_free(ctype_locale);
+ #endif
+ #ifdef LC_MESSAGES
+- gpgme_set_locale(NULL, LC_MESSAGES, setlocale(LC_MESSAGES, NULL));
++ messages_locale = g_strdup(setlocale(LC_MESSAGES, NULL));
++ if (strchr(messages_locale, '.'))
++ *(strchr(messages_locale, '.')) = '\0';
++ else if (strchr(messages_locale, '@'))
++ *(strchr(messages_locale, '@')) = '\0';
++ messages_utf8_locale = g_strconcat(messages_locale, ".UTF-8", NULL);
++
++ gpgme_set_locale(NULL, LC_MESSAGES, messages_utf8_locale);
++
++ g_free(messages_utf8_locale);
++ g_free(messages_locale);
+ #endif
+ if (!gpgme_get_engine_info(&engineInfo)) {
+ while (engineInfo) {
diff -Nru claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch
--- claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch 2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,19 @@
+Subject: fix for CVE-2012-4507
+From: Michael Schwendt <mschwendt@gmail.com>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743
+Bug-RedHat: https://bugzilla.redhat.com/862578
+Bug-Debian: http://bugs.debian.org/690151
+Applied-Upstream: 3.8.1cvs82
+
+diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c
+--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.000000000 +0200
++++ claws-mail-3.8.1/src/procmime.c 2012-10-11 18:40:13.000000000 +0200
+@@ -1753,6 +1753,8 @@ static void parse_parameters(const gchar
+ continue;
+
+ charset = value;
++ if (charset == NULL)
++ continue;
+ lang = strchr(charset, '\'');
+ if (lang == NULL)
+ continue;
diff -Nru claws-mail-3.8.1/debian/patches/series claws-mail-3.8.1/debian/patches/series
--- claws-mail-3.8.1/debian/patches/series 2012-06-28 01:28:06.000000000 +0200
+++ claws-mail-3.8.1/debian/patches/series 2012-10-12 00:13:21.000000000 +0200
@@ -1,2 +1,6 @@
11mark_trashed_as_read.patch
12fix_manpage_header.patch
+96_fix_segfault_viewing_signature_info.patch
+97_fix_segfault_parse_parameters.patch
+98_fix_segfault_no_utf_gpgme_strerror.patch
+99_fix_CVE-2012-4507.patch
Reply to: