Bug#690277: marked as done (unblock: claws-mail/3.8.1-2)

Debian Bug Tracking System Thu, 11 Oct 2012 21:57:31 -0700

Your message dated Fri, 12 Oct 2012 05:51:26 +0100
with message-id <[email protected]>
and subject line Re: Bug#690277: unblock: claws-mail/3.8.1-2
has caused the Debian Bug report #690277,
regarding unblock: claws-mail/3.8.1-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
690277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690277
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package claws-mail

This upload fixes CVE-2012-4507 (bug #690151) and includes
backported patches for 3 segfaults discovered after 3.8.1
release. Debdiff attached.

thanks in advance,

unblock claws-mail/3.8.1-2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru claws-mail-3.8.1/debian/changelog claws-mail-3.8.1/debian/changelog
--- claws-mail-3.8.1/debian/changelog	2012-06-28 01:28:06.000000000 +0200
+++ claws-mail-3.8.1/debian/changelog	2012-10-12 00:13:21.000000000 +0200
@@ -1,3 +1,16 @@
+claws-mail (3.8.1-2) unstable; urgency=medium
+
+  * patches/99_fix_CVE-2012-4507.patch
+  - Added fix for CVE-2012-4507 from 3.8.1cvs82 (Closes: #690151),
+    raised urgency because of grave bug
+  * patches/98_fix_segfault_no_utf_gpgme_strerror.patch,
+    patches/97_fix_segfault_parse_parameters.patch,
+    patches/96_fix_segfault_viewing_signature_info.patch
+  - Backported patches from upstream CVS fixing segfaults discovered
+    after 3.8.1 release
+
+ -- Ricardo Mones <[email protected]>  Fri, 12 Oct 2012 00:04:03 +0200
+
 claws-mail (3.8.1-1) unstable; urgency=low
 
   * New upstream release
diff -Nru claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch
--- claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/96_fix_segfault_viewing_signature_info.patch	2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,17 @@
+Subject: fix segfault viewing PGP/SMIME signature information
+From: Ricardo Mones <[email protected]>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2689
+Applied-Upstream: 3.8.1cvs12
+
+diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c
+--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c	2012-06-27 11:05:23.000000000 +0200
++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c	2012-10-11 23:34:46.000000000 +0200
+@@ -326,7 +326,7 @@ gchar *sgpgme_sigstat_info_full(gpgme_ct
+ 				j++;
+ 				user = user->next;
+ 			}
+-			g_string_append_printf(siginfo,
++			g_string_append(siginfo,
+ 				_("Primary key fingerprint:"));
+ 			const char* primary_fpr = NULL;
+ 			if (key && key->subkeys && key->subkeys->fpr)
diff -Nru claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch
--- claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/97_fix_segfault_parse_parameters.patch	2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,17 @@
+Subject: fix segfault in parse_parameters() for some attachments
+From: Mikhail Efremov <[email protected]>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2697
+Applied-Upstream: 3.8.1cvs15
+
+diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c
+--- claws-mail-3.8.1.orig/src/procmime.c	2012-06-27 11:05:22.000000000 +0200
++++ claws-mail-3.8.1/src/procmime.c	2012-10-11 23:15:23.000000000 +0200
+@@ -1704,7 +1704,7 @@ static void parse_parameters(const gchar
+ 			    (g_slist_find_custom(concatlist, down_attr, g_strcmp0) == NULL))
+ 				concatlist = g_slist_prepend(concatlist, g_strdup(tmpattr));
+ 
+-			if (convert && (g_slist_find_custom(convlist, down_attr, g_strcmp0) == NULL))
++			if (convert && (g_slist_find_custom(convlist, tmpattr, g_strcmp0) == NULL))
+ 				convlist = g_slist_prepend(convlist, g_strdup(tmpattr));
+ 
+ 			g_free(tmpattr);
diff -Nru claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch
--- claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/98_fix_segfault_no_utf_gpgme_strerror.patch	2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,47 @@
+Subject: fix segfault when gpgme_strerror() returns a non UTF-8 string
+From: Colin Leroy <[email protected]>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2650
+Applied-Upstream: 3.8.1cvs41
+ 
+diff -purN claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c
+--- claws-mail-3.8.1.orig/src/plugins/pgpcore/sgpgme.c	2012-06-27 11:05:23.000000000 +0200
++++ claws-mail-3.8.1/src/plugins/pgpcore/sgpgme.c	2012-10-11 23:04:52.000000000 +0200
+@@ -610,13 +610,36 @@ bail:
+ 
+ void sgpgme_init()
+ {
++	gchar *ctype_locale = NULL, *messages_locale = NULL;
++	gchar *ctype_utf8_locale = NULL, *messages_utf8_locale = NULL;
++
+ 	gpgme_engine_info_t engineInfo;
+ 	if (gpgme_check_version("1.0.0")) {
+ #ifdef LC_CTYPE
+-		gpgme_set_locale(NULL, LC_CTYPE, setlocale(LC_CTYPE, NULL));
++		ctype_locale = g_strdup(setlocale(LC_CTYPE, NULL));
++		if (strchr(ctype_locale, '.'))
++			*(strchr(ctype_locale, '.')) = '\0';
++		else if (strchr(ctype_locale, '@'))
++			*(strchr(ctype_locale, '@')) = '\0';
++		ctype_utf8_locale = g_strconcat(ctype_locale, ".UTF-8", NULL);
++
++		gpgme_set_locale(NULL, LC_CTYPE, ctype_utf8_locale);
++
++		g_free(ctype_utf8_locale);
++		g_free(ctype_locale);
+ #endif
+ #ifdef LC_MESSAGES
+-		gpgme_set_locale(NULL, LC_MESSAGES, setlocale(LC_MESSAGES, NULL));
++		messages_locale = g_strdup(setlocale(LC_MESSAGES, NULL));
++		if (strchr(messages_locale, '.'))
++			*(strchr(messages_locale, '.')) = '\0';
++		else if (strchr(messages_locale, '@'))
++			*(strchr(messages_locale, '@')) = '\0';
++		messages_utf8_locale = g_strconcat(messages_locale, ".UTF-8", NULL);
++
++		gpgme_set_locale(NULL, LC_MESSAGES, messages_utf8_locale);
++
++		g_free(messages_utf8_locale);
++		g_free(messages_locale);
+ #endif
+ 		if (!gpgme_get_engine_info(&engineInfo)) {
+ 			while (engineInfo) {
diff -Nru claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch
--- claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch	1970-01-01 01:00:00.000000000 +0100
+++ claws-mail-3.8.1/debian/patches/99_fix_CVE-2012-4507.patch	2012-10-12 00:13:21.000000000 +0200
@@ -0,0 +1,19 @@
+Subject: fix for CVE-2012-4507 
+From: Michael Schwendt <[email protected]>
+Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743
+Bug-RedHat: https://bugzilla.redhat.com/862578
+Bug-Debian: http://bugs.debian.org/690151
+Applied-Upstream: 3.8.1cvs82
+
+diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c
+--- claws-mail-3.8.1.orig/src/procmime.c	2012-06-27 11:05:22.000000000 +0200
++++ claws-mail-3.8.1/src/procmime.c	2012-10-11 18:40:13.000000000 +0200
+@@ -1753,6 +1753,8 @@ static void parse_parameters(const gchar
+ 			continue;
+ 
+ 		charset = value;
++		if (charset == NULL)
++			continue;
+ 		lang = strchr(charset, '\'');
+ 		if (lang == NULL)
+ 			continue;
diff -Nru claws-mail-3.8.1/debian/patches/series claws-mail-3.8.1/debian/patches/series
--- claws-mail-3.8.1/debian/patches/series	2012-06-28 01:28:06.000000000 +0200
+++ claws-mail-3.8.1/debian/patches/series	2012-10-12 00:13:21.000000000 +0200
@@ -1,2 +1,6 @@
 11mark_trashed_as_read.patch
 12fix_manpage_header.patch
+96_fix_segfault_viewing_signature_info.patch
+97_fix_segfault_parse_parameters.patch
+98_fix_segfault_no_utf_gpgme_strerror.patch
+99_fix_CVE-2012-4507.patch

--- End Message ---

--- Begin Message ---

On Fri, 2012-10-12 at 00:44 +0200, Ricardo Mones wrote:
> Please unblock package claws-mail
> 
> This upload fixes CVE-2012-4507 (bug #690151) and includes
> backported patches for 3 segfaults discovered after 3.8.1
> release. Debdiff attached.

Unblocked; thanks.

Regards,

Adam

--- End Message ---

Bug#690277: marked as done (unblock: claws-mail/3.8.1-2)

Reply via email to