Bug#693538: marked as done (unblock: claws-mail-extra-plugins/3.8.1-2)

Sat, 17 Nov 2012 11:33:17 -0800 

Your message dated Sat, 17 Nov 2012 19:28:43 +0000
with message-id <1353180523.22859.36.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#693538: unblock: claws-mail-extra-plugins/3.8.1-2
has caused the Debian Bug report #693538,
regarding unblock: claws-mail-extra-plugins/3.8.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
693538: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693538
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package claws-mail-extra-plugins

Includes only a new patch to address security bug #693391 (credentials
exposed on interface), from the upstream fix. Debdiff attached.

Thanks in advance,

unblock claws-mail-extra-plugins/3.8.1-2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru claws-mail-extra-plugins-3.8.1/debian/changelog claws-mail-extra-plugins-3.8.1/debian/changelog
--- claws-mail-extra-plugins-3.8.1/debian/changelog	2012-06-28 13:47:40.000000000 +0200
+++ claws-mail-extra-plugins-3.8.1/debian/changelog	2012-11-17 18:42:26.000000000 +0100
@@ -1,3 +1,12 @@
+claws-mail-extra-plugins (3.8.1-2) unstable; urgency=medium
+
+  * debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch
+  - Added patch to fix CVE-2012-5527: credentials exposed on
+    interface (Closes: #693391)
+  - Urgency set to medium because of security bug
+
+ -- Ricardo Mones <mo...@debian.org>  Sat, 17 Nov 2012 18:22:23 +0100
+
 claws-mail-extra-plugins (3.8.1-1) unstable; urgency=low
 
   * New upstream release
diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/series claws-mail-extra-plugins-3.8.1/debian/patches/series
--- claws-mail-extra-plugins-3.8.1/debian/patches/series	2012-06-28 13:47:40.000000000 +0200
+++ claws-mail-extra-plugins-3.8.1/debian/patches/series	2012-11-17 18:42:26.000000000 +0100
@@ -1,3 +1,4 @@
 python-plugin00dont-dlopen-symlink.patch
 multi-notifier00allow-libindicate-0.7.patch
 archiver-plugin00format-security.patch
+vcalendar-plugin00fix-CVE-2012-5527.patch
diff -Nru claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch
--- claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-extra-plugins-3.8.1/debian/patches/vcalendar-plugin00fix-CVE-2012-5527.patch	2012-11-17 18:42:26.000000000 +0100
@@ -0,0 +1,118 @@
+Subject: fix CVE-2012-5527: credentials exposed on interface
+Author: Colin Leroy <co...@colino.net>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
+Bug-Debian: http://bugs.debian.org/693391
+Applied-Upstream: 2.0.14cvs3
+
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.c	2011-11-16 06:41:53.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.c	2012-11-17 18:10:24.000000000 +0100
+@@ -1609,7 +1609,7 @@
+ 	return GINT_TO_POINTER(0);
+ }
+ 
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
+ {
+ 	gchar *result;
+@@ -1618,25 +1618,19 @@
+ 	pthread_t pt;
+ 	pthread_attr_t pta;
+ #endif
+-	gchar *msg;
+ 	void *res;
+ 	gboolean killed;
+ 	gchar *error = NULL;
+ 	result = NULL;
+ 	td = g_new0(thread_data, 1);
+-	msg = NULL;
+ 	res = NULL;
+ 	killed = FALSE;
+-	
++
+ 	td->url  = url;
+ 	td->result  = NULL;
+ 	td->done = FALSE;
+-	
+-	msg = g_strdup_printf(_("Fetching '%s'..."), url);
+-	
+-	STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
+-	
+-	g_free(msg);
++
++	STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
+ 
+ #ifdef USE_PTHREAD
+ 	if (pthread_attr_init(&pta) != 0 ||
+@@ -1868,7 +1862,8 @@
+ static void update_subscription(const gchar *uri, gboolean verbose)
+ {
+ 	FolderItem *item = get_folder_item_for_uri(uri);
+-	
++	gchar *label;
++
+ 	if (prefs_common_get_prefs()->work_offline) {
+ 		if (!verbose || 
+ 		!inc_offline_should_override(TRUE,
+@@ -1882,7 +1877,11 @@
+ 			return;
+ 	}
+ 	main_window_cursor_wait(mainwindow_get_mainwindow());
+-	vcal_curl_read(uri, verbose, update_subscription_finish);
++
++	label = g_strdup_printf(_("Fetching calendar for %s..."), 
++			item && item->name ? item->name : _("new subscription"));
++	vcal_curl_read(uri, label, verbose, update_subscription_finish);
++	g_free(label);
+ }
+ 
+ static void check_subs_cb(GtkAction *action, gpointer data)
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_folder.h	2011-11-16 06:41:53.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_folder.h	2012-11-17 18:10:24.000000000 +0100
+@@ -36,7 +36,7 @@
+ void vcal_folder_export(Folder *folder);
+ 
+ gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
+ 		*error));
+ gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
+diff -urN claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c
+--- claws-mail-extra-plugins-3.8.1.orig/vcalendar-2.0.13/src/vcal_meeting_gtk.c	2011-10-30 22:24:29.000000000 +0100
++++ claws-mail-extra-plugins-3.8.1/vcalendar-2.0.13/src/vcal_meeting_gtk.c	2012-11-17 18:10:24.000000000 +0100
+@@ -1085,7 +1085,7 @@
+ 
+ 		if (!local_only) {
+ 			remail = g_strdup(email);
+-			g_free(email);
++
+ 			extract_address(remail);
+ 			if (strrchr(remail, ' '))
+ 				user = g_strdup(strrchr(remail, ' ')+1);
+@@ -1125,17 +1125,22 @@
+ 			&& strncmp(tmp, "ftp://";, 6))
+ 				contents = file_read_to_str(tmp);
+ 			else {
++				gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
+ 				if (!strncmp(tmp, "webcal://", 9)) {
+ 					gchar *tmp2 = g_strdup_printf("http://%s";, tmp+9);
+ 					g_free(tmp);
+ 					tmp = tmp2;
+ 				}
+-				contents = vcal_curl_read(tmp, FALSE, NULL);
++				contents = vcal_curl_read(tmp, label, FALSE, NULL);
++				g_free(label);
+ 			}
+ 		} else {
+ 			contents = NULL;
+ 		}
++
++		g_free(email);
+ 		g_free(tmp);
++
+ 		if (contents == NULL) {
+ 			uncertain = TRUE;
+ 			att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));

--- End Message ---
--- Begin Message --- 
On Sat, 2012-11-17 at 19:25 +0100, Ricardo Mones wrote:
> Please unblock package claws-mail-extra-plugins
> 
> Includes only a new patch to address security bug #693391 (credentials
> exposed on interface), from the upstream fix. Debdiff attached.

Unblocked; thanks.

Regards,

Adam

--- End Message ---

Reply via email to