don't display the URL when fetching calendars, it could contain

credentials (CVE-2012-5527), patch from upstream
bump PKGREV

5 files changed, 123 insertions, 3 deletions

diff --git a/mail/claws-mail-vcalendar/Makefile b/mail/claws-mail-vcalendar/Makefile
index a48281e221f..c1dc2741ae1 100644
--- a/mail/claws-mail-vcalendar/Makefile
+++ b/mail/claws-mail-vcalendar/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.36 2012/10/08 23:02:00 adam Exp $
+# $NetBSD: Makefile,v 1.37 2012/11/29 11:01:15 drochner Exp $
 #
 
 DISTNAME=	vcalendar-2.0.13
 PKGNAME=	claws-mail-vcalendar-2.0.13
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	mail
 MASTER_SITES=	http://claws-mail.org/downloads/plugins/
 
diff --git a/mail/claws-mail-vcalendar/distinfo b/mail/claws-mail-vcalendar/distinfo
index 1018e20deac..f103b634e36 100644
--- a/mail/claws-mail-vcalendar/distinfo
+++ b/mail/claws-mail-vcalendar/distinfo
@@ -1,5 +1,8 @@
-$NetBSD: distinfo,v 1.14 2012/07/02 19:08:45 drochner Exp $
+$NetBSD: distinfo,v 1.15 2012/11/29 11:01:16 drochner Exp $
 
 SHA1 (vcalendar-2.0.13.tar.gz) = 082fde227e6cb3514bab53423718331174e6617c
 RMD160 (vcalendar-2.0.13.tar.gz) = a34846aa714f076792934bd8ea794f5d0db72ba2
 Size (vcalendar-2.0.13.tar.gz) = 861524 bytes
+SHA1 (patch-CVE-2012-5527_1) = 221b291b5fd879a95f156a2482c6f8a8fd7c1fd1
+SHA1 (patch-CVE-2012-5527_2) = 24b15b3bde4f70103cf2def205d1c7994dcc8b67
+SHA1 (patch-CVE-2012-5527_3) = a4d5df429262b681e67599b0377ba9b8107ea201
diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1
new file mode 100644
index 00000000000..e81bf349a0a
--- /dev/null
+++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1
@@ -0,0 +1,67 @@
+$NetBSD: patch-CVE-2012-5527_1,v 1.1 2012/11/29 11:01:16 drochner Exp $
+
+http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
+
+--- src/vcal_folder.c.orig	2011-11-16 05:41:53.000000000 +0000
++++ src/vcal_folder.c
+@@ -1609,7 +1609,7 @@ void *url_read_thread(void *data)
+ 	return GINT_TO_POINTER(0);
+ }
+ 
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
+ {
+ 	gchar *result;
+@@ -1618,25 +1618,19 @@ gchar *vcal_curl_read(const char *url, g
+ 	pthread_t pt;
+ 	pthread_attr_t pta;
+ #endif
+-	gchar *msg;
+ 	void *res;
+ 	gboolean killed;
+ 	gchar *error = NULL;
+ 	result = NULL;
+ 	td = g_new0(thread_data, 1);
+-	msg = NULL;
+ 	res = NULL;
+ 	killed = FALSE;
+-	
++
+ 	td->url  = url;
+ 	td->result  = NULL;
+ 	td->done = FALSE;
+-	
+-	msg = g_strdup_printf(_("Fetching '%s'..."), url);
+-	
+-	STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
+-	
+-	g_free(msg);
++
++	STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
+ 
+ #ifdef USE_PTHREAD
+ 	if (pthread_attr_init(&pta) != 0 ||
+@@ -1868,7 +1862,8 @@ static void update_subscription_finish(c
+ static void update_subscription(const gchar *uri, gboolean verbose)
+ {
+ 	FolderItem *item = get_folder_item_for_uri(uri);
+-	
++	gchar *label;
++
+ 	if (prefs_common_get_prefs()->work_offline) {
+ 		if (!verbose || 
+ 		!inc_offline_should_override(TRUE,
+@@ -1882,7 +1877,11 @@ static void update_subscription(const gc
+ 			return;
+ 	}
+ 	main_window_cursor_wait(mainwindow_get_mainwindow());
+-	vcal_curl_read(uri, verbose, update_subscription_finish);
++
++	label = g_strdup_printf(_("Fetching calendar for %s..."), 
++			item && item->name ? item->name : _("new subscription"));
++	vcal_curl_read(uri, label, verbose, update_subscription_finish);
++	g_free(label);
+ }
+ 
+ static void check_subs_cb(GtkAction *action, gpointer data)
diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2
new file mode 100644
index 00000000000..8b2808b6f8c
--- /dev/null
+++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2
@@ -0,0 +1,13 @@
+$NetBSD: patch-CVE-2012-5527_2,v 1.1 2012/11/29 11:01:16 drochner Exp $
+
+--- src/vcal_folder.h.orig	2011-11-16 05:41:53.000000000 +0000
++++ src/vcal_folder.h
+@@ -36,7 +36,7 @@ GSList * vcal_folder_get_webcal_events_f
+ void vcal_folder_export(Folder *folder);
+ 
+ gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
+ 		*error));
+ gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3
new file mode 100644
index 00000000000..4413bc3f03b
--- /dev/null
+++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3
@@ -0,0 +1,37 @@
+$NetBSD: patch-CVE-2012-5527_3,v 1.1 2012/11/29 11:01:16 drochner Exp $
+
+--- src/vcal_meeting_gtk.c.orig	2011-10-30 21:24:29.000000000 +0000
++++ src/vcal_meeting_gtk.c
+@@ -1085,7 +1085,7 @@ static gboolean check_attendees_availabi
+ 
+ 		if (!local_only) {
+ 			remail = g_strdup(email);
+-			g_free(email);
++
+ 			extract_address(remail);
+ 			if (strrchr(remail, ' '))
+ 				user = g_strdup(strrchr(remail, ' ')+1);
+@@ -1125,17 +1125,22 @@ static gboolean check_attendees_availabi
+ 			&& strncmp(tmp, "ftp://", 6))
+ 				contents = file_read_to_str(tmp);
+ 			else {
++				gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
+ 				if (!strncmp(tmp, "webcal://", 9)) {
+ 					gchar *tmp2 = g_strdup_printf("http://%s", tmp+9);
+ 					g_free(tmp);
+ 					tmp = tmp2;
+ 				}
+-				contents = vcal_curl_read(tmp, FALSE, NULL);
++				contents = vcal_curl_read(tmp, label, FALSE, NULL);
++				g_free(label);
+ 			}
+ 		} else {
+ 			contents = NULL;
+ 		}
++
++		g_free(email);
+ 		g_free(tmp);
++
+ 		if (contents == NULL) {
+ 			uncertain = TRUE;
+ 			att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));