Hi release team, As requested by Jonathan, I've prepared an upload with the minimal changes required for fixing this, debdiff attached. IIRC this is the first time I'm going to upload something to stable, so, before uploading, any hints on missing bits or common pitfalls awaiting would be greatly appreciated. Thanks in advance, ------- Begin forwarded message: Date: Thu, 17 Jan 2013 11:42:13 -0000 From: Jonathan Wiltshire <jmw@debian.org> To: 690151@bugs.debian.org Subject: Bug#690151: claws-mail: CVE-2012-4507 Package: claws-mail Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target "stable" Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-release@lists.debian.org 1: http://prsc.debian.net/tracker/690151/ 2: <201101232332.11736.thijs@debian.org> 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ------- End forwarded message. -- Ricardo Mones http://people.debian.org/~mones «Alimony and bribes will engage a large share of your wealth.»
diff -Nru claws-mail-3.7.6/debian/changelog claws-mail-3.7.6/debian/changelog --- claws-mail-3.7.6/debian/changelog 2010-10-13 16:36:26.000000000 +0200 +++ claws-mail-3.7.6/debian/changelog 2013-01-18 19:25:19.000000000 +0100 @@ -1,3 +1,10 @@ +claws-mail (3.7.6-4+squeeze1) stable; urgency=low + + * patches/99_fix_CVE-2012-4507.patch + - Added fix for CVE-2012-4507 from 3.8.1-2 (Closes: #690151) + + -- Ricardo Mones <mones@debian.org> Fri, 18 Jan 2013 19:03:36 +0100 + claws-mail (3.7.6-4) unstable; urgency=low * debian/rules, debian/claws-mail-doc.dirs diff -Nru claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch --- claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch 2013-01-18 19:25:19.000000000 +0100 @@ -0,0 +1,19 @@ +Subject: fix for CVE-2012-4507 +From: Michael Schwendt <mschwendt@gmail.com> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743 +Bug-RedHat: https://bugzilla.redhat.com/862578 +Bug-Debian: http://bugs.debian.org/690151 +Applied-Upstream: 3.8.1cvs82 + +diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c +--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.000000000 +0200 ++++ claws-mail-3.8.1/src/procmime.c 2012-10-11 18:40:13.000000000 +0200 +@@ -1753,6 +1753,8 @@ static void parse_parameters(const gchar + continue; + + charset = value; ++ if (charset == NULL) ++ continue; + lang = strchr(charset, '\''); + if (lang == NULL) + continue; diff -Nru claws-mail-3.7.6/debian/patches/series claws-mail-3.7.6/debian/patches/series --- claws-mail-3.7.6/debian/patches/series 2009-07-03 15:27:51.000000000 +0200 +++ claws-mail-3.7.6/debian/patches/series 2013-01-18 19:25:19.000000000 +0100 @@ -1,2 +1,3 @@ 11mark_trashed_as_read.patch 12fix_manpage_header.patch +99_fix_CVE-2012-4507.patch
Attachment:
signature.asc
Description: PGP signature