Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package claws-mail-extra-plugins Includes only a new patch to address security bug #693391 (credentials exposed on interface), from the upstream fix. Debdiff attached. Thanks in advance, unblock claws-mail-extra-plugins/3.8.1-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-extra-plugins-3.8.1/debian/changelog claws-mail-extra-plugins-3.8.1/debian/changelog --- claws-mail-extra-plugins-3.8.1/debian/changelog 2012-06-28 13:47:40.000000000 +0200 +++ claws-mail-extra-plugins-3.8.1/debian/changelog 2012-11-17 18:42:26.000000000 +0100 @@ -1,3 +1,12 @@ +claws-mail-extra-plugins (3.8.1-2) unstable; urgency=medium + + * debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch + - Added patch to fix CVE-2012-5527: credentials exposed on + interface (Closes: #693391) + - Urgency set to medium because of security bug + + -- Ricardo Mones <mo...@debian.org> Sat, 17 Nov 2012 18:22:23 +0100 + claws-mail-extra-plugins (3.8.1-1) unstable; urgency=low * New upstream release diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/series claws-mail-extra-plugins-3.8.1/debian/patches/series --- claws-mail-extra-plugins-3.8.1/debian/patches/series 2012-06-28 13:47:40.000000000 +0200 +++ claws-mail-extra-plugins-3.8.1/debian/patches/series 2012-11-17 18:42:26.000000000 +0100 @@ -1,3 +1,4 @@ python-plugin00dont-dlopen-symlink.patch multi-notifier00allow-libindicate-0.7.patch archiver-plugin00format-security.patch +vcalendar-plugin00fix-CVE-2012-5527.patch diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch --- claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch 2012-11-17 18:42:26.000000000 +0100 @@ -0,0 +1,118 @@ +Subject: fix CVE-2012-5527: credentials exposed on interface +Author: Colin Leroy <co...@colino.net> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 +Bug-Debian: http://bugs.debian.org/693391 +Applied-Upstream: 2.0.14cvs3 + +diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c +--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c 2011-11-16 06:41:53.000000000 +0100 ++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c 2012-11-17 18:10:24.000000000 +0100 +@@ -1609,7 +1609,7 @@ + return GINT_TO_POINTER(0); + } + +-gchar *vcal_curl_read(const char *url, gboolean verbose, ++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, + void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error)) + { + gchar *result; +@@ -1618,25 +1618,19 @@ + pthread_t pt; + pthread_attr_t pta; + #endif +- gchar *msg; + void *res; + gboolean killed; + gchar *error = NULL; + result = NULL; + td = g_new0(thread_data, 1); +- msg = NULL; + res = NULL; + killed = FALSE; +- ++ + td->url = url; + td->result = NULL; + td->done = FALSE; +- +- msg = g_strdup_printf(_("Fetching '%s'..."), url); +- +- STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg); +- +- g_free(msg); ++ ++ STATUSBAR_PUSH(mainwindow_get_mainwindow(), label); + + #ifdef USE_PTHREAD + if (pthread_attr_init(&pta) != 0 || +@@ -1868,7 +1862,8 @@ + static void update_subscription(const gchar *uri, gboolean verbose) + { + FolderItem *item = get_folder_item_for_uri(uri); +- ++ gchar *label; ++ + if (prefs_common_get_prefs()->work_offline) { + if (!verbose || + !inc_offline_should_override(TRUE, +@@ -1882,7 +1877,11 @@ + return; + } + main_window_cursor_wait(mainwindow_get_mainwindow()); +- vcal_curl_read(uri, verbose, update_subscription_finish); ++ ++ label = g_strdup_printf(_("Fetching calendar for %s..."), ++ item && item->name ? item->name : _("new subscription")); ++ vcal_curl_read(uri, label, verbose, update_subscription_finish); ++ g_free(label); + } + + static void check_subs_cb(GtkAction *action, gpointer data) +diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h +--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h 2011-11-16 06:41:53.000000000 +0100 ++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h 2012-11-17 18:10:24.000000000 +0100 +@@ -36,7 +36,7 @@ + void vcal_folder_export(Folder *folder); + + gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass); +-gchar *vcal_curl_read(const char *url, gboolean verbose, ++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, + void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar + *error)); + gchar* get_item_event_list_for_date(FolderItem *item, EventTime date); +diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c +--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c 2011-10-30 22:24:29.000000000 +0100 ++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c 2012-11-17 18:10:24.000000000 +0100 +@@ -1085,7 +1085,7 @@ + + if (!local_only) { + remail = g_strdup(email); +- g_free(email); ++ + extract_address(remail); + if (strrchr(remail, ' ')) + user = g_strdup(strrchr(remail, ' ')+1); +@@ -1125,17 +1125,22 @@ + && strncmp(tmp, "ftp://";, 6)) + contents = file_read_to_str(tmp); + else { ++ gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email); + if (!strncmp(tmp, "webcal://", 9)) { + gchar *tmp2 = g_strdup_printf("http://%s";, tmp+9); + g_free(tmp); + tmp = tmp2; + } +- contents = vcal_curl_read(tmp, FALSE, NULL); ++ contents = vcal_curl_read(tmp, label, FALSE, NULL); ++ g_free(label); + } + } else { + contents = NULL; + } ++ ++ g_free(email); + g_free(tmp); ++ + if (contents == NULL) { + uncertain = TRUE; + att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));
