Bug#693538: unblock: claws-mail-extra-plugins/3.8.1-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package claws-mail-extra-plugins
Includes only a new patch to address security bug #693391 (credentials
exposed on interface), from the upstream fix. Debdiff attached.
Thanks in advance,
unblock claws-mail-extra-plugins/3.8.1-2
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-extra-plugins-3.8.1/debian/changelog claws-mail-extra-plugins-3.8.1/debian/changelog
--- claws-mail-extra-plugins-3.8.1/debian/changelog 2012-06-28 13:47:40.000000000 +0200
+++ claws-mail-extra-plugins-3.8.1/debian/changelog 2012-11-17 18:42:26.000000000 +0100
@@ -1,3 +1,12 @@
+claws-mail-extra-plugins (3.8.1-2) unstable; urgency=medium
+
+ * debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch
+ - Added patch to fix CVE-2012-5527: credentials exposed on
+ interface (Closes: #693391)
+ - Urgency set to medium because of security bug
+
+ -- Ricardo Mones <mones@debian.org> Sat, 17 Nov 2012 18:22:23 +0100
+
claws-mail-extra-plugins (3.8.1-1) unstable; urgency=low
* New upstream release
diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/series claws-mail-extra-plugins-3.8.1/debian/patches/series
--- claws-mail-extra-plugins-3.8.1/debian/patches/series 2012-06-28 13:47:40.000000000 +0200
+++ claws-mail-extra-plugins-3.8.1/debian/patches/series 2012-11-17 18:42:26.000000000 +0100
@@ -1,3 +1,4 @@
python-plugin00dont-dlopen-symlink.patch
multi-notifier00allow-libindicate-0.7.patch
archiver-plugin00format-security.patch
+vcalendar-plugin00fix-CVE-2012-5527.patch
diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch
--- claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch 1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch 2012-11-17 18:42:26.000000000 +0100
@@ -0,0 +1,118 @@
+Subject: fix CVE-2012-5527: credentials exposed on interface
+Author: Colin Leroy <colin@colino.net>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
+Bug-Debian: http://bugs.debian.org/693391
+Applied-Upstream: 2.0.14cvs3
+
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c 2011-11-16 06:41:53.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c 2012-11-17 18:10:24.000000000 +0100
+@@ -1609,7 +1609,7 @@
+ return GINT_TO_POINTER(0);
+ }
+
+-gchar *vcal_curl_read(const char *url, gboolean verbose,
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose,
+ void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
+ {
+ gchar *result;
+@@ -1618,25 +1618,19 @@
+ pthread_t pt;
+ pthread_attr_t pta;
+ #endif
+- gchar *msg;
+ void *res;
+ gboolean killed;
+ gchar *error = NULL;
+ result = NULL;
+ td = g_new0(thread_data, 1);
+- msg = NULL;
+ res = NULL;
+ killed = FALSE;
+-
++
+ td->url = url;
+ td->result = NULL;
+ td->done = FALSE;
+-
+- msg = g_strdup_printf(_("Fetching '%s'..."), url);
+-
+- STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
+-
+- g_free(msg);
++
++ STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
+
+ #ifdef USE_PTHREAD
+ if (pthread_attr_init(&pta) != 0 ||
+@@ -1868,7 +1862,8 @@
+ static void update_subscription(const gchar *uri, gboolean verbose)
+ {
+ FolderItem *item = get_folder_item_for_uri(uri);
+-
++ gchar *label;
++
+ if (prefs_common_get_prefs()->work_offline) {
+ if (!verbose ||
+ !inc_offline_should_override(TRUE,
+@@ -1882,7 +1877,11 @@
+ return;
+ }
+ main_window_cursor_wait(mainwindow_get_mainwindow());
+- vcal_curl_read(uri, verbose, update_subscription_finish);
++
++ label = g_strdup_printf(_("Fetching calendar for %s..."),
++ item && item->name ? item->name : _("new subscription"));
++ vcal_curl_read(uri, label, verbose, update_subscription_finish);
++ g_free(label);
+ }
+
+ static void check_subs_cb(GtkAction *action, gpointer data)
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h 2011-11-16 06:41:53.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h 2012-11-17 18:10:24.000000000 +0100
+@@ -36,7 +36,7 @@
+ void vcal_folder_export(Folder *folder);
+
+ gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
+-gchar *vcal_curl_read(const char *url, gboolean verbose,
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose,
+ void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
+ *error));
+ gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c 2011-10-30 22:24:29.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c 2012-11-17 18:10:24.000000000 +0100
+@@ -1085,7 +1085,7 @@
+
+ if (!local_only) {
+ remail = g_strdup(email);
+- g_free(email);
++
+ extract_address(remail);
+ if (strrchr(remail, ' '))
+ user = g_strdup(strrchr(remail, ' ')+1);
+@@ -1125,17 +1125,22 @@
+ && strncmp(tmp, "ftp://", 6))
+ contents = file_read_to_str(tmp);
+ else {
++ gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
+ if (!strncmp(tmp, "webcal://", 9)) {
+ gchar *tmp2 = g_strdup_printf("http://%s", tmp+9);
+ g_free(tmp);
+ tmp = tmp2;
+ }
+- contents = vcal_curl_read(tmp, FALSE, NULL);
++ contents = vcal_curl_read(tmp, label, FALSE, NULL);
++ g_free(label);
+ }
+ } else {
+ contents = NULL;
+ }
++
++ g_free(email);
+ g_free(tmp);
++
+ if (contents == NULL) {
+ uncertain = TRUE;
+ att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));
Reply to: