Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kmime for openSUSE:Factory checked in at 2025-09-11 14:38:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kmime (Old) and /work/SRC/openSUSE:Factory/.kmime.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kmime" Thu Sep 11 14:38:54 2025 rev:121 rq:1303904 version:25.08.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kmime/kmime.changes 2025-08-16 20:37:17.115003380 +0200 +++ /work/SRC/openSUSE:Factory/.kmime.new.1977/kmime.changes 2025-09-11 14:41:17.652753837 +0200 @@ -1,0 +2,17 @@ +Wed Sep 10 09:23:55 UTC 2025 - Christophe Marin <[email protected]> + +- Update to 25.08.1 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/gear/25.08.1/ +- Changes since 25.08.0: + * Make sure eatCFWS and isspace use the same definition of "whitespace" + * Optimize encodeRFC2047String by using indexOf + * parseAlphaNumericTimeZone: Don't increase scursor twice + * MultiPart::parse: Fix out of bound array access + * Fix parsing of empty multipart parts + * parseTimeOfDay: Make sure sec is initialized in all branches that return true + * parseDigits: Fix overflow + * MultiPart::parse: Fix out of bound array access + +------------------------------------------------------------------- Old: ---- kmime-25.08.0.tar.xz kmime-25.08.0.tar.xz.sig New: ---- kmime-25.08.1.tar.xz kmime-25.08.1.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kmime.spec ++++++ --- /var/tmp/diff_new_pack.Ecv8Kq/_old 2025-09-11 14:41:18.280780396 +0200 +++ /var/tmp/diff_new_pack.Ecv8Kq/_new 2025-09-11 14:41:18.280780396 +0200 @@ -21,7 +21,7 @@ %bcond_without released Name: kmime -Version: 25.08.0 +Version: 25.08.1 Release: 0 Summary: KDE PIM libraries MIME support License: LGPL-2.1-or-later ++++++ kmime-25.08.0.tar.xz -> kmime-25.08.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/CMakeLists.txt new/kmime-25.08.1/CMakeLists.txt --- old/kmime-25.08.0/CMakeLists.txt 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/CMakeLists.txt 2025-08-31 10:36:56.000000000 +0200 @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.16 FATAL_ERROR) -set(PIM_VERSION "6.5.0") +set(PIM_VERSION "6.5.1") project(KMime VERSION ${PIM_VERSION}) Binary files old/kmime-25.08.0/autotests/data/big-allocation.mbox and new/kmime-25.08.1/autotests/data/big-allocation.mbox differ Binary files old/kmime-25.08.0/autotests/data/clusterfuzz-testcase-minimized-kmime_fuzzer-5255984894509056 and new/kmime-25.08.1/autotests/data/clusterfuzz-testcase-minimized-kmime_fuzzer-5255984894509056 differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/data/multipart-parse-abort-2.mbox new/kmime-25.08.1/autotests/data/multipart-parse-abort-2.mbox --- old/kmime-25.08.0/autotests/data/multipart-parse-abort-2.mbox 1970-01-01 01:00:00.000000000 +0100 +++ new/kmime-25.08.1/autotests/data/multipart-parse-abort-2.mbox 2025-08-31 10:36:56.000000000 +0200 @@ -0,0 +1,4 @@ +Content-Type:Multipart/i;boundary="Boundary" + +--Boundary +--Boundary \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/data/multipart-parse-abort.mbox new/kmime-25.08.1/autotests/data/multipart-parse-abort.mbox --- old/kmime-25.08.0/autotests/data/multipart-parse-abort.mbox 1970-01-01 01:00:00.000000000 +0100 +++ new/kmime-25.08.1/autotests/data/multipart-parse-abort.mbox 2025-08-31 10:36:56.000000000 +0200 @@ -0,0 +1,3 @@ +Content-Type:Multipart/e;boundary=- + +--- \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/data/read-digits-overflow.mbox new/kmime-25.08.1/autotests/data/read-digits-overflow.mbox --- old/kmime-25.08.0/autotests/data/read-digits-overflow.mbox 1970-01-01 01:00:00.000000000 +0100 +++ new/kmime-25.08.1/autotests/data/read-digits-overflow.mbox 2025-08-31 10:36:56.000000000 +0200 @@ -0,0 +1 @@ +Date:7370951615 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/data/uninitialized-memory-use.mbox new/kmime-25.08.1/autotests/data/uninitialized-memory-use.mbox --- old/kmime-25.08.0/autotests/data/uninitialized-memory-use.mbox 1970-01-01 01:00:00.000000000 +0100 +++ new/kmime-25.08.1/autotests/data/uninitialized-memory-use.mbox 2025-08-31 10:36:56.000000000 +0200 @@ -0,0 +1 @@ +Date:2Jul6:0U \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/messagetest.cpp new/kmime-25.08.1/autotests/messagetest.cpp --- old/kmime-25.08.0/autotests/messagetest.cpp 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/autotests/messagetest.cpp 2025-08-31 10:36:56.000000000 +0200 @@ -10,6 +10,7 @@ #include <QFile> #include <codecs.cpp> +using namespace Qt::Literals; using namespace KMime; QTEST_MAIN(MessageTest) @@ -694,5 +695,31 @@ QCOMPARE(msg->headerByType("SubjectInvalid")->as7BitString().data(), "SubjectInvalid: This header type contains a null byte"); } +void MessageTest::testBigAllocation() +{ + KMime::Message::Ptr msg = readAndParseMail(QStringLiteral("big-allocation.mbox")); + QCOMPARE(msg->contents().size(), 20); + for (const auto &part : msg->contents()) { + QVERIFY(part->contents().empty()); + } +} + +void MessageTest::testGarbage_data() +{ + QTest::addColumn<QString>("filename"); + QTest::newRow("multipart-parse-abort-1") << u"multipart-parse-abort.mbox"_s; + QTest::newRow("multipart-parse-abort-2") << u"multipart-parse-abort-2.mbox"_s; + QTest::newRow("digits-overflow") << u"read-digits-overflow.mbox"_s; + QTest::newRow("uninitialized-memory") << u"uninitialized-memory-use.mbox"_s; + QTest::newRow("infinite-memory") << u"clusterfuzz-testcase-minimized-kmime_fuzzer-5255984894509056"_s; +} + +void MessageTest::testGarbage() +{ + // all this does is to ensure parsing the input file doesn't crash, trigger ASAN or infinitely loop + QFETCH(QString, filename); + KMime::Message::Ptr msg = readAndParseMail(filename); + QVERIFY(msg); +} #include "moc_messagetest.cpp" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/autotests/messagetest.h new/kmime-25.08.1/autotests/messagetest.h --- old/kmime-25.08.0/autotests/messagetest.h 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/autotests/messagetest.h 2025-08-31 10:36:56.000000000 +0200 @@ -39,6 +39,10 @@ void testBugAttachment387423(); void testCrashReplyInvalidEmail(); void testHeadersWithNullBytes(); + void testBigAllocation(); + + void testGarbage_data(); + void testGarbage(); private: KMime::Message::Ptr readAndParseMail(const QString &mailFile) const; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/poqm/zh_CN/libkmime6_qt.po new/kmime-25.08.1/poqm/zh_CN/libkmime6_qt.po --- old/kmime-25.08.0/poqm/zh_CN/libkmime6_qt.po 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/poqm/zh_CN/libkmime6_qt.po 2025-08-31 10:36:56.000000000 +0200 @@ -21,6 +21,8 @@ "The message sent on ${date} to ${to} with subject \"${subject}\" has been " "displayed. This is no guarantee that the message has been read or understood." msgstr "" +"在 ${date} 发送给 ${to} 主题为“${subject}”的信件已经显示。无法保证信件是否已" +"被阅读或理解。" #: mdn.cpp:60 msgctxt "DispositionModifier|" @@ -29,6 +31,8 @@ "deleted unseen. This is no guarantee that the message will not be \"undeleted" "\" and nonetheless read later on." msgstr "" +"在 ${date} 发送给 ${to} 主题为“${subject}”的信件在没有看过的情况下被删除。无" +"法保证信件是否会被“取消删除”并被阅读。" #: mdn.cpp:68 msgctxt "DispositionModifier|" @@ -36,13 +40,15 @@ "The message sent on ${date} to ${to} with subject \"${subject}\" has been " "dispatched. This is no guarantee that the message will not be read later on." msgstr "" +"在 ${date} 发送给 ${to} 主题为“${subject}”的信件已被发出。无法保证信件是否稍" +"后会被阅读。" #: mdn.cpp:75 msgctxt "DispositionModifier|" msgid "" "The message sent on ${date} to ${to} with subject \"${subject}\" has been " "processed by some automatic means." -msgstr "" +msgstr "在 ${date} 发送给 ${to} 主题为“${subject}”的信件已被某些自动方式处理。" #: mdn.cpp:81 msgctxt "DispositionModifier|" @@ -51,6 +57,8 @@ "acted upon. The sender does not wish to disclose more details to you than " "that." msgstr "" +"在 ${date} 发送给 ${to} 主题为“${subject}”的信件已经被执行操作。发送者并不想" +"透露给您更多细节。" #: mdn.cpp:88 msgctxt "DispositionModifier|" @@ -59,3 +67,5 @@ "${date} to ${to} with subject \"${subject}\" failed. Reason is given in the " "Failure: header field below." msgstr "" +"对在 ${date} 发送给 ${to} 主题为“${subject}”的信件生成信件投递通知失败。原因" +"在下面的 Failure: 头字段中已给出。" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/src/codecs.cpp new/kmime-25.08.1/src/codecs.cpp --- old/kmime-25.08.0/src/codecs.cpp 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/src/codecs.cpp 2025-08-31 10:36:56.000000000 +0200 @@ -69,9 +69,9 @@ } if (nonAscii) { - while ((end < encoded8Bit.length()) && (encoded8Bit[end] != ' ')) { - // we encode complete words - end++; + end = encoded8Bit.indexOf(' ', end); + if (end == -1) { + end = encoded8Bit.length(); } for (int x = end; x < encoded8Bit.length(); x++) { @@ -79,9 +79,9 @@ (addressHeader && (strchr(reservedCharacters, encoded8Bit[x]) != nullptr))) { end = x; // we found another non-ascii word - while ((end < encoded8Bit.length()) && (encoded8Bit[end] != ' ')) { - // we encode complete words - end++; + end = encoded8Bit.indexOf(' ', end); + if (end == -1) { + end = encoded8Bit.length(); } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/src/headerparsing.cpp new/kmime-25.08.1/src/headerparsing.cpp --- old/kmime-25.08.0/src/headerparsing.cpp 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/src/headerparsing.cpp 2025-08-31 10:36:56.000000000 +0200 @@ -724,6 +724,8 @@ case '\t': // whitespace case '\r': case '\n': // folding + case '\f': // things that shouldn't occure but we need to match isspace() + case '\v': continue; case '(': // comment @@ -1685,7 +1687,6 @@ } for (int i = 0 ; i < timeZonesLen ; ++i) { if (maybeTimeZone.compare(timeZones[i].tzName, Qt::CaseInsensitive) == 0) { - scursor += maybeTimeZone.size(); secsEastOfGMT = timeZones[i].secsEastOfGMT; timeZoneKnown = true; @@ -1705,14 +1706,19 @@ } // parse a number and return the number of digits parsed: -int parseDigits(const char *&scursor, const char *const send, int &result) +int parseDigits(const char *&scursor, const char *const send, int &finalResult) { - result = 0; + int64_t result = 0; + finalResult = 0; int digits = 0; for (; scursor != send && isdigit(*scursor) ; scursor++, digits++) { result *= 10; result += int(*scursor - '0'); + if (result > std::numeric_limits<int>::max()) { + return 0; + } } + finalResult = result; return digits; } @@ -1748,6 +1754,7 @@ eatCFWS(scursor, send, isCRLF); if (scursor == send) { + sec = 0; return true; // seconds are optional } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kmime-25.08.0/src/parsers.cpp new/kmime-25.08.1/src/parsers.cpp --- old/kmime-25.08.0/src/parsers.cpp 2025-08-06 05:37:15.000000000 +0200 +++ new/kmime-25.08.1/src/parsers.cpp 2025-08-31 10:36:56.000000000 +0200 @@ -49,7 +49,7 @@ if (pos1 > -1) { pos1 += blen; - if (m_src[pos1] == '-' && m_src[pos1 + 1] == '-') { + if ((pos1 + 1) < m_src.length() && m_src[pos1] == '-' && m_src[pos1 + 1] == '-') { // the only valid boundary is the end-boundary // this message is *really* broken pos1 = -1; //we give up @@ -79,10 +79,12 @@ pos1 = -1; pos2 = -1; //break; } else { - part = m_src.mid(pos1, pos2 - pos1 - 1); // pos2 - 1 (\n) is part of the boundary (see RFC 2046, section 5.1.1) - m_parts.append(part); + if (pos1 != pos2) { // skip entirely empty parts + part = m_src.mid(pos1, pos2 - pos1 - 1); // pos2 - 1 (\n) is part of the boundary (see RFC 2046, section 5.1.1) + m_parts.append(part); + } pos2 += blen; //pos2 points now to the first character after the boundary - if (m_src[pos2] == '-' && m_src[pos2 + 1] == '-') { //end-boundary + if ((pos2 + 1) < m_src.length() && m_src[pos2] == '-' && m_src[pos2 + 1] == '-') { //end-boundary pos1 = pos2 + 2; //pos1 points now to the character directly after the end-boundary if ((pos1 = m_src.indexOf('\n', pos1)) > -1) { //skip the rest of this line
