Hello community, here is the log from the commit of package trojita for openSUSE:Factory checked in at 2014-03-21 13:51:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trojita (Old) and /work/SRC/openSUSE:Factory/.trojita.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trojita" Changes: -------- --- /work/SRC/openSUSE:Factory/trojita/trojita.changes 2014-03-09 20:27:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.trojita.new/trojita.changes 2014-03-21 13:51:39.000000000 +0100 @@ -1,0 +2,11 @@ +Thu Mar 20 21:39:18 UTC 2014 - [email protected] + +- Update to 0.4.1 + * Fix for CVE-2014-2567 + +------------------------------------------------------------------- +Fri Mar 14 14:56:49 UTC 2014 - [email protected] + +- Require sqlite backend for qtsql as we use just that one. + +------------------------------------------------------------------- Old: ---- trojita-0.4.tar.bz2 New: ---- trojita-0.4.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trojita.spec ++++++ --- /var/tmp/diff_new_pack.3ebMI8/_old 2014-03-21 13:51:39.000000000 +0100 +++ /var/tmp/diff_new_pack.3ebMI8/_new 2014-03-21 13:51:39.000000000 +0100 @@ -18,9 +18,11 @@ %define X_display ":98" Name: trojita -Version: 0.4 +Version: 0.4.1 Release: 0 Summary: Qt5 IMAP e-mail client +License: (GPL-2.0 or GPL-3.0) and BSD-3-Clause and LGPL-2.0 and (LGPL-2.1 or GPL-3.0) and LGPL-2.1+ and GPL-2.0 +Group: Productivity/Networking/Email/Clients # Almost everything: dual-licensed under the GPLv2 or GPLv3 # (with KDE e.V. provision for relicensing) # src/XtConnect: BSD @@ -28,8 +30,6 @@ # Nokia imports: LGPLv2.1 or GPLv3 # src/Imap/Parser/3rdparty/rfccodecs.cpp: LGPLv2+ # src/qwwsmtpclient/: GPLv2 -License: (GPL-2.0 or GPL-3.0) and BSD-3-Clause and LGPL-2.0 and (LGPL-2.1 or GPL-3.0) and LGPL-2.1+ and GPL-2.0 -Group: Productivity/Networking/Email/Clients Url: http://trojita.flaska.net/ Source: http://sourceforge.net/projects/trojita/files/src/%{name}-%{version}.tar.bz2 Patch0: 0001-Explicitly-mark-libs-as-STATIC-to-not-allow-cmake-ru.patch @@ -48,6 +48,7 @@ BuildRequires: pkgconfig(Qt5WebKitWidgets) BuildRequires: pkgconfig(Qt5Widgets) BuildRequires: pkgconfig(zlib) +Requires: libQt5Sql5-sqlite BuildRoot: %{_tmppath}/%{name}-%{version}-build %description ++++++ trojita-0.4.tar.bz2 -> trojita-0.4.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trojita-0.4/qtc_packaging/debian_harmattan/changelog new/trojita-0.4.1/qtc_packaging/debian_harmattan/changelog --- old/trojita-0.4/qtc_packaging/debian_harmattan/changelog 2014-03-04 12:12:58.000000000 +0100 +++ new/trojita-0.4.1/qtc_packaging/debian_harmattan/changelog 2014-03-20 20:44:27.000000000 +0100 @@ -1,3 +1,8 @@ +trojita-tp (0.4.1) unstable; urgency=low + * Fix security problem, an information leak with STARTTLS and PREAUTH + + -- Jan Kundrát <[email protected]> Wed, 19 Mar 2014 08:00:00 -0400 + trojita-tp (0.4) unstable; urgency=low * <Add change description here> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trojita-0.4/src/Imap/Tasks/OpenConnectionTask.cpp new/trojita-0.4.1/src/Imap/Tasks/OpenConnectionTask.cpp --- old/trojita-0.4/src/Imap/Tasks/OpenConnectionTask.cpp 2014-03-04 12:12:58.000000000 +0100 +++ new/trojita-0.4.1/src/Imap/Tasks/OpenConnectionTask.cpp 2014-03-20 20:44:27.000000000 +0100 @@ -153,6 +153,17 @@ { switch (resp->kind) { case PREAUTH: + if (model->m_startTls) { + // Oops, we cannot send STARTTLS when the connection is already authenticated. + // This is serious enough to warrant an error; an attacker might be going after a plaintext + // of a message we're going to APPEND, etc. + // Thanks to Arnt Gulbrandsen on the imap-protocol ML for asking what happens when we're configured + // to request STARTTLS and a PREAUTH is received, and to Michael M Slusarz for starting that discussion. + logout(tr("Configuration requires sending STARTTLS, but the IMAP server greets us with PREAUTH. " + "Encryption cannot be established. If this configuration worked previously, someone " + "is after your data and they are pretty smart.")); + return true; + } // Cool, we're already authenticated. Now, let's see if we have to issue CAPABILITY or if we already know that if (model->accessParser(parser).capabilitiesFresh) { // We're alsmost done here, apart from compression diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trojita-0.4/src/trojita-version new/trojita-0.4.1/src/trojita-version --- old/trojita-0.4/src/trojita-version 2014-03-04 12:12:58.000000000 +0100 +++ new/trojita-0.4.1/src/trojita-version 2014-03-20 20:44:27.000000000 +0100 @@ -1 +1 @@ -0.4 +0.4.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trojita-0.4/tests/Imap/test_Imap_Tasks_OpenConnection.cpp new/trojita-0.4.1/tests/Imap/test_Imap_Tasks_OpenConnection.cpp --- old/trojita-0.4/tests/Imap/test_Imap_Tasks_OpenConnection.cpp 2014-03-04 12:12:58.000000000 +0100 +++ new/trojita-0.4.1/tests/Imap/test_Imap_Tasks_OpenConnection.cpp 2014-03-20 20:44:27.000000000 +0100 @@ -129,6 +129,19 @@ QVERIFY(startTlsUpgradeSpy->isEmpty()); } +/** @short What happens when the server responds with PREAUTH and we want STARTTLS? */ +void ImapModelOpenConnectionTest::testPreauthWithStartTlsWanted() +{ + cleanup(); init(true); // yuck, but I can't come up with anything better... + + cEmpty(); + cServer("* PREAUTH hi there\r\n"); + QCOMPARE(failedSpy->size(), 1); + QVERIFY(completedSpy->isEmpty()); + QVERIFY(authSpy->isEmpty()); + QVERIFY(startTlsUpgradeSpy->isEmpty()); +} + /** @short Test for obtaining capability and logging in without any STARTTLS */ void ImapModelOpenConnectionTest::testOk() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trojita-0.4/tests/Imap/test_Imap_Tasks_OpenConnection.h new/trojita-0.4.1/tests/Imap/test_Imap_Tasks_OpenConnection.h --- old/trojita-0.4/tests/Imap/test_Imap_Tasks_OpenConnection.h 2014-03-04 12:12:58.000000000 +0100 +++ new/trojita-0.4.1/tests/Imap/test_Imap_Tasks_OpenConnection.h 2014-03-20 20:44:27.000000000 +0100 @@ -39,6 +39,7 @@ void testPreauth(); void testPreauthWithCapability(); + void testPreauthWithStartTlsWanted(); void testOk(); void testOkWithCapability(); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
