diff options
author | drochner <drochner@pkgsrc.org> | 2012-11-29 11:01:15 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2012-11-29 11:01:15 +0000 |
commit | e782f4e0face7221f5c88fe576ab15317852700e (patch) | |
tree | 37e792c961ad14811d6f010e7377b0c237a48b4c /mail | |
parent | e7464ca148fc029552a88ccf28c425bd00731642 (diff) | |
download | pkgsrc-e782f4e0face7221f5c88fe576ab15317852700e.tar.gz |
don't display the URL when fetching calendars, it could contain
credentials (CVE-2012-5527), patch from upstream
bump PKGREV
Diffstat (limited to 'mail')
-rw-r--r-- | mail/claws-mail-vcalendar/Makefile | 4 | ||||
-rw-r--r-- | mail/claws-mail-vcalendar/distinfo | 5 | ||||
-rw-r--r-- | mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1 | 67 | ||||
-rw-r--r-- | mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2 | 13 | ||||
-rw-r--r-- | mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3 | 37 |
5 files changed, 123 insertions, 3 deletions
diff --git a/mail/claws-mail-vcalendar/Makefile b/mail/claws-mail-vcalendar/Makefile index a48281e221f..c1dc2741ae1 100644 --- a/mail/claws-mail-vcalendar/Makefile +++ b/mail/claws-mail-vcalendar/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.36 2012/10/08 23:02:00 adam Exp $ +# $NetBSD: Makefile,v 1.37 2012/11/29 11:01:15 drochner Exp $ # DISTNAME= vcalendar-2.0.13 PKGNAME= claws-mail-vcalendar-2.0.13 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= mail MASTER_SITES= http://claws-mail.org/downloads/plugins/ diff --git a/mail/claws-mail-vcalendar/distinfo b/mail/claws-mail-vcalendar/distinfo index 1018e20deac..f103b634e36 100644 --- a/mail/claws-mail-vcalendar/distinfo +++ b/mail/claws-mail-vcalendar/distinfo @@ -1,5 +1,8 @@ -$NetBSD: distinfo,v 1.14 2012/07/02 19:08:45 drochner Exp $ +$NetBSD: distinfo,v 1.15 2012/11/29 11:01:16 drochner Exp $ SHA1 (vcalendar-2.0.13.tar.gz) = 082fde227e6cb3514bab53423718331174e6617c RMD160 (vcalendar-2.0.13.tar.gz) = a34846aa714f076792934bd8ea794f5d0db72ba2 Size (vcalendar-2.0.13.tar.gz) = 861524 bytes +SHA1 (patch-CVE-2012-5527_1) = 221b291b5fd879a95f156a2482c6f8a8fd7c1fd1 +SHA1 (patch-CVE-2012-5527_2) = 24b15b3bde4f70103cf2def205d1c7994dcc8b67 +SHA1 (patch-CVE-2012-5527_3) = a4d5df429262b681e67599b0377ba9b8107ea201 diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1 new file mode 100644 index 00000000000..e81bf349a0a --- /dev/null +++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1 @@ -0,0 +1,67 @@ +$NetBSD: patch-CVE-2012-5527_1,v 1.1 2012/11/29 11:01:16 drochner Exp $ + +http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 + +--- src/vcal_folder.c.orig 2011-11-16 05:41:53.000000000 +0000 ++++ src/vcal_folder.c +@@ -1609,7 +1609,7 @@ void *url_read_thread(void *data) + return GINT_TO_POINTER(0); + } + +-gchar *vcal_curl_read(const char *url, gboolean verbose, ++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, + void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error)) + { + gchar *result; +@@ -1618,25 +1618,19 @@ gchar *vcal_curl_read(const char *url, g + pthread_t pt; + pthread_attr_t pta; + #endif +- gchar *msg; + void *res; + gboolean killed; + gchar *error = NULL; + result = NULL; + td = g_new0(thread_data, 1); +- msg = NULL; + res = NULL; + killed = FALSE; +- ++ + td->url = url; + td->result = NULL; + td->done = FALSE; +- +- msg = g_strdup_printf(_("Fetching '%s'..."), url); +- +- STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg); +- +- g_free(msg); ++ ++ STATUSBAR_PUSH(mainwindow_get_mainwindow(), label); + + #ifdef USE_PTHREAD + if (pthread_attr_init(&pta) != 0 || +@@ -1868,7 +1862,8 @@ static void update_subscription_finish(c + static void update_subscription(const gchar *uri, gboolean verbose) + { + FolderItem *item = get_folder_item_for_uri(uri); +- ++ gchar *label; ++ + if (prefs_common_get_prefs()->work_offline) { + if (!verbose || + !inc_offline_should_override(TRUE, +@@ -1882,7 +1877,11 @@ static void update_subscription(const gc + return; + } + main_window_cursor_wait(mainwindow_get_mainwindow()); +- vcal_curl_read(uri, verbose, update_subscription_finish); ++ ++ label = g_strdup_printf(_("Fetching calendar for %s..."), ++ item && item->name ? item->name : _("new subscription")); ++ vcal_curl_read(uri, label, verbose, update_subscription_finish); ++ g_free(label); + } + + static void check_subs_cb(GtkAction *action, gpointer data) diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2 new file mode 100644 index 00000000000..8b2808b6f8c --- /dev/null +++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2 @@ -0,0 +1,13 @@ +$NetBSD: patch-CVE-2012-5527_2,v 1.1 2012/11/29 11:01:16 drochner Exp $ + +--- src/vcal_folder.h.orig 2011-11-16 05:41:53.000000000 +0000 ++++ src/vcal_folder.h +@@ -36,7 +36,7 @@ GSList * vcal_folder_get_webcal_events_f + void vcal_folder_export(Folder *folder); + + gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass); +-gchar *vcal_curl_read(const char *url, gboolean verbose, ++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, + void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar + *error)); + gchar* get_item_event_list_for_date(FolderItem *item, EventTime date); diff --git a/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3 b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3 new file mode 100644 index 00000000000..4413bc3f03b --- /dev/null +++ b/mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3 @@ -0,0 +1,37 @@ +$NetBSD: patch-CVE-2012-5527_3,v 1.1 2012/11/29 11:01:16 drochner Exp $ + +--- src/vcal_meeting_gtk.c.orig 2011-10-30 21:24:29.000000000 +0000 ++++ src/vcal_meeting_gtk.c +@@ -1085,7 +1085,7 @@ static gboolean check_attendees_availabi + + if (!local_only) { + remail = g_strdup(email); +- g_free(email); ++ + extract_address(remail); + if (strrchr(remail, ' ')) + user = g_strdup(strrchr(remail, ' ')+1); +@@ -1125,17 +1125,22 @@ static gboolean check_attendees_availabi + && strncmp(tmp, "ftp://", 6)) + contents = file_read_to_str(tmp); + else { ++ gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email); + if (!strncmp(tmp, "webcal://", 9)) { + gchar *tmp2 = g_strdup_printf("http://%s", tmp+9); + g_free(tmp); + tmp = tmp2; + } +- contents = vcal_curl_read(tmp, FALSE, NULL); ++ contents = vcal_curl_read(tmp, label, FALSE, NULL); ++ g_free(label); + } + } else { + contents = NULL; + } ++ ++ g_free(email); + g_free(tmp); ++ + if (contents == NULL) { + uncertain = TRUE; + att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed")); |