Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package claws-mail This upload fixes CVE-2012-4507 (bug #690151) and includes backported patches for 3 segfaults discovered after 3.8.1 release. Debdiff attached. thanks in advance, unblock claws-mail/3.8.1-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru claws-mail-3.8.1/debian/changelog claws-mail-3.8.1/debian/changelog --- claws-mail-3.8.1/debian/changelog 2012-06-28 01:28:06.000000000 +0200 +++ claws-mail-3.8.1/debian/changelog 2012-10-12 00:13:21.000000000 +0200 @@ -1,3 +1,16 @@ +claws-mail (3.8.1-2) unstable; urgency=medium + + * patches/99_fix_CVE-2012-4507.patch + - Added fix for CVE-2012-4507 from 3.8.1cvs82 (Closes: #690151), + raised urgency because of grave bug + * patches/98_fix_segfault_no_utf_gpgme_strerror.patch, + patches/97_fix_segfault_parse_parameters.patch, + patches/96_fix_segfault_viewing_signature_info.patch + - Backported patches from upstream CVS fixing segfaults discovered + after 3.8.1 release + + -- Ricardo Mones <mo...@debian.org> Fri, 12 Oct 2012 00:04:03 +0200 + claws-mail (3.8.1-1) unstable; urgency=low * New upstream release diff -Nru claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch --- claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch 2012-10-12 00:13:21.000000000 +0200 @@ -0,0 +1,17 @@ +Subject: fix segfault viewing PGP/SMIME signature information +From: Ricardo Mones <rica...@mones.org> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2689 +Applied-Upstream: 3.8.1cvs12 + +diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c +--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c 2012-06-27 11:05:23.000000000 +0200 ++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c 2012-10-11 23:34:46.000000000 +0200 +@@ -326,7 +326,7 @@ gchar *sgpgme_sigstat_info_full(gpgme_ct + j++; + user = user->next; + } +- g_string_append_printf(siginfo, ++ g_string_append(siginfo, + _("Primary key fingerprint:")); + const char* primary_fpr = NULL; + if (key && key->subkeys && key->subkeys->fpr) diff -Nru claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch --- claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch 2012-10-12 00:13:21.000000000 +0200 @@ -0,0 +1,17 @@ +Subject: fix segfault in parse_parameters() for some attachments +From: Mikhail Efremov <mikh...@gmail.com> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2697 +Applied-Upstream: 3.8.1cvs15 + +diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c +--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.000000000 +0200 ++++ claws-mail-3.8.1/src/procmime.c 2012-10-11 23:15:23.000000000 +0200 +@@ -1704,7 +1704,7 @@ static void parse_parameters(const gchar + (g_slist_find_custom(concatlist, down_attr, g_strcmp0) == NULL)) + concatlist = g_slist_prepend(concatlist, g_strdup(tmpattr)); + +- if (convert && (g_slist_find_custom(convlist, down_attr, g_strcmp0) == NULL)) ++ if (convert && (g_slist_find_custom(convlist, tmpattr, g_strcmp0) == NULL)) + convlist = g_slist_prepend(convlist, g_strdup(tmpattr)); + + g_free(tmpattr); diff -Nru claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch --- claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch 2012-10-12 00:13:21.000000000 +0200 @@ -0,0 +1,47 @@ +Subject: fix segfault when gpgme_strerror() returns a non UTF-8 string +From: Colin Leroy <co...@colino.net> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2650 +Applied-Upstream: 3.8.1cvs41 + +diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c +--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c 2012-06-27 11:05:23.000000000 +0200 ++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c 2012-10-11 23:04:52.000000000 +0200 +@@ -610,13 +610,36 @@ bail: + + void sgpgme_init() + { ++ gchar *ctype_locale = NULL, *messages_locale = NULL; ++ gchar *ctype_utf8_locale = NULL, *messages_utf8_locale = NULL; ++ + gpgme_engine_info_t engineInfo; + if (gpgme_check_version("1.0.0")) { + #ifdef LC_CTYPE +- gpgme_set_locale(NULL, LC_CTYPE, setlocale(LC_CTYPE, NULL)); ++ ctype_locale = g_strdup(setlocale(LC_CTYPE, NULL)); ++ if (strchr(ctype_locale, '.')) ++ *(strchr(ctype_locale, '.')) = '\0'; ++ else if (strchr(ctype_locale, '@')) ++ *(strchr(ctype_locale, '@')) = '\0'; ++ ctype_utf8_locale = g_strconcat(ctype_locale, ".UTF-8", NULL); ++ ++ gpgme_set_locale(NULL, LC_CTYPE, ctype_utf8_locale); ++ ++ g_free(ctype_utf8_locale); ++ g_free(ctype_locale); + #endif + #ifdef LC_MESSAGES +- gpgme_set_locale(NULL, LC_MESSAGES, setlocale(LC_MESSAGES, NULL)); ++ messages_locale = g_strdup(setlocale(LC_MESSAGES, NULL)); ++ if (strchr(messages_locale, '.')) ++ *(strchr(messages_locale, '.')) = '\0'; ++ else if (strchr(messages_locale, '@')) ++ *(strchr(messages_locale, '@')) = '\0'; ++ messages_utf8_locale = g_strconcat(messages_locale, ".UTF-8", NULL); ++ ++ gpgme_set_locale(NULL, LC_MESSAGES, messages_utf8_locale); ++ ++ g_free(messages_utf8_locale); ++ g_free(messages_locale); + #endif + if (!gpgme_get_engine_info(&engineInfo)) { + while (engineInfo) { diff -Nru claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch --- claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch 1970-01-01 01:00:00.000000000 +0100 +++ claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch 2012-10-12 00:13:21.000000000 +0200 @@ -0,0 +1,19 @@ +Subject: fix for CVE-2012-4507 +From: Michael Schwendt <mschwe...@gmail.com> +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743 +Bug-RedHat: https://bugzilla.redhat.com/862578 +Bug-Debian: http://bugs.debian.org/690151 +Applied-Upstream: 3.8.1cvs82 + +diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c +--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.000000000 +0200 ++++ claws-mail-3.8.1/src/procmime.c 2012-10-11 18:40:13.000000000 +0200 +@@ -1753,6 +1753,8 @@ static void parse_parameters(const gchar + continue; + + charset = value; ++ if (charset == NULL) ++ continue; + lang = strchr(charset, '\''); + if (lang == NULL) + continue; diff -Nru claws-mail-3.8.1/debian/patches/series claws-mail-3.8.1/debian/patches/series --- claws-mail-3.8.1/debian/patches/series 2012-06-28 01:28:06.000000000 +0200 +++ claws-mail-3.8.1/debian/patches/series 2012-10-12 00:13:21.000000000 +0200 @@ -1,2 +1,6 @@ 11mark_trashed_as_read.patch 12fix_manpage_header.patch +96_fix_segfault_viewing_signature_info.patch +97_fix_segfault_parse_parameters.patch +98_fix_segfault_no_utf_gpgme_strerror.patch +99_fix_CVE-2012-4507.patch