commit: cbdd19788e941b123628f724764bac32d12a728c Author: Akinori Hattori <hattya <AT> gentoo <DOT> org> AuthorDate: Sun Jun 12 13:33:08 2022 +0000 Commit: Akinori Hattori <hattya <AT> gentoo <DOT> org> CommitDate: Sun Jun 12 13:33:08 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdd1978
mail-client/sylpheed: fix CVE-2021-37746 Bug: https://bugs.gentoo.org/805338 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Akinori Hattori <hattya <AT> gentoo.org> .../sylpheed/files/sylpheed-CVE-2021-37746.patch | 39 ++++++++++++ mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild | 69 ++++++++++++++++++++++ 2 files changed, 108 insertions(+) diff --git a/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch b/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch new file mode 100644 index 000000000000..47a6f078e824 --- /dev/null +++ b/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch @@ -0,0 +1,39 @@ +https://src.fedoraproject.org/rpms/sylpheed/blob/rawhide/f/sylpheed-3.7.0-uri-check.patch + +From 4d7dfe055673b49391af66f45643bc956799a4ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <[email protected]> +Date: Mon, 2 Aug 2021 12:04:42 +0200 +Subject: [PATCH] harden link checker before accepting click + +http://git.claws-mail.org/?p=claws.git;a=commitdiff_plain;h=ac286a71ed78429e16c612161251b9ea90ccd431;hp=a4a629ce824011f5ae3f0b8cb1117f9608b7f5ad + +Resolves: CVE-2021-37746 +--- + src/textview.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/textview.c b/src/textview.c +index e55eea9e..6fbb8a1d 100644 +--- a/src/textview.c ++++ b/src/textview.c +@@ -2689,7 +2689,7 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri) + gboolean retval = TRUE; + + if (is_uri_string(uri->uri) == FALSE) +- return TRUE; ++ return FALSE; + + buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(textview->text)); + gtk_text_buffer_get_iter_at_offset(buffer, &start_iter, uri->start); +@@ -2725,6 +2725,8 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri) + if (aval == G_ALERTDEFAULT) + retval = TRUE; + } ++ if (strlen(uri->uri) > get_uri_len(uri->uri)) ++ retval = FALSE; + + g_free(visible_str); + +-- +2.31.1 + diff --git a/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild b/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild new file mode 100644 index 000000000000..e305207ab055 --- /dev/null +++ b/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild @@ -0,0 +1,69 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="8" + +inherit desktop xdg + +DESCRIPTION="A lightweight email client and newsreader" +HOMEPAGE="http://sylpheed.sraoss.jp/"; +SRC_URI="http://${PN}.sraoss.jp/${PN}/v${PV%.*}/${P}.tar.bz2"; + +LICENSE="GPL-2+ LGPL-2.1+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="crypt ipv6 ldap nls oniguruma spell ssl xface" + +CDEPEND="net-libs/liblockfile + x11-libs/gtk+:2 + crypt? ( app-crypt/gpgme:= ) + ldap? ( net-nds/openldap:= ) + nls? ( sys-devel/gettext ) + oniguruma? ( dev-libs/oniguruma:= ) + spell? ( + app-text/gtkspell:2 + dev-libs/dbus-glib + ) + ssl? ( dev-libs/openssl:0= )" +RDEPEND="${CDEPEND} + app-misc/mime-types + net-misc/curl" +DEPEND="${CDEPEND} + xface? ( media-libs/compface )" +BDEPEND="virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}"/${PN}-tls-1.3.patch + "${FILESDIR}"/${PN}-CVE-2021-37746.patch +) +DOCS="AUTHORS ChangeLog* NEW* PLUGIN* README* TODO*" + +src_configure() { + local htmldir="${EPREFIX}"/usr/share/doc/${PF}/html + econf \ + $(use_enable crypt gpgme) \ + $(use_enable ipv6) \ + $(use_enable ldap) \ + $(use_enable oniguruma) \ + $(use_enable spell gtkspell) \ + $(use_enable ssl) \ + $(use_enable xface compface) \ + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/${PN}/plugins \ + --with-manualdir="${htmldir}"/manual \ + --with-faqdir="${htmldir}"/faq \ + --disable-updatecheck +} + +src_install() { + default + + doicon *.png + domenu *.desktop + + cd plugin/attachment_tool + emake DESTDIR="${D}" install-plugin + docinto plugin/attachment_tool + dodoc README + + find "${ED}" -name '*.la' -delete || die +}
