[arch-commits] CVS update of extra/network/evolution (2 files)

Jan de Groot jgc at archlinux.org
Thu Mar 6 18:26:24 UTC 2008 

    Date: Thursday, March 6, 2008 @ 13:26:24
  Author: jgc
    Path: /home/cvs-extra/extra/network/evolution

   Added: evolution-CVE-2008-0072.patch (1.1)
Modified: PKGBUILD (1.64 -> 1.65)

Security fix (FS#9768)


-------------------------------+
 PKGBUILD                      |   10 +++---
 evolution-CVE-2008-0072.patch |   61 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 4 deletions(-)


Index: extra/network/evolution/PKGBUILD
diff -u extra/network/evolution/PKGBUILD:1.64 extra/network/evolution/PKGBUILD:1.65
--- extra/network/evolution/PKGBUILD:1.64	Thu Jan 10 16:24:03 2008
+++ extra/network/evolution/PKGBUILD	Thu Mar  6 13:26:24 2008
@@ -1,9 +1,9 @@
-# $Id: PKGBUILD,v 1.64 2008/01/10 21:24:03 jgc Exp $
+# $Id: PKGBUILD,v 1.65 2008/03/06 18:26:24 jgc Exp $
 # Maintainer: dale <dale at archlinux.org>
 
 pkgname=evolution
 pkgver=2.12.3
-pkgrel=1
+pkgrel=2
 pkgdesc="Integrated Workgroup and Personal Information Management for Gnome"
 arch=(i686 x86_64)
 license=('GPL')
@@ -12,11 +12,13 @@
 options=('!libtool' '!emptydirs')
 install=evolution.install
 url=(http://www.gnome.org/projects/evolution/)
-source=(http://ftp.gnome.org/pub/gnome/sources/${pkgname}/2.12/${pkgname}-${pkgver}.tar.bz2)
-md5sums=('554698d7387aee82c5f4d4520760503d')
+source=(http://ftp.gnome.org/pub/gnome/sources/${pkgname}/2.12/${pkgname}-${pkgver}.tar.bz2
+	evolution-CVE-2008-0072.patch)
+md5sums=('554698d7387aee82c5f4d4520760503d' 'bf92e58da9603b58bbbd7b8316aa994e')
 
 build() {
   cd ${startdir}/src/${pkgname}-${pkgver}
+  patch -Np0 -i ${startdir}/src/evolution-CVE-2008-0072.patch || return 1
 
   ./configure --prefix=/usr --sysconfdir=/etc \
         --localstatedir=/var \
Index: extra/network/evolution/evolution-CVE-2008-0072.patch
diff -u /dev/null extra/network/evolution/evolution-CVE-2008-0072.patch:1.1
--- /dev/null	Thu Mar  6 13:26:24 2008
+++ extra/network/evolution/evolution-CVE-2008-0072.patch	Thu Mar  6 13:26:24 2008
@@ -0,0 +1,61 @@
+A format string error in the "emf_multipart_encrypted()" function in
+mail/em-format.c when displaying the "Version:" field from an encrypted
+e-mail message can be exploited to execute arbitrary code via a
+specially crafted e-mail message.
+
+Successful exploitation requires that the user opens a malicious e-mail
+message.
+
+Ulf Harnhammar, Secunia Research.
+
+SA29057 and CVE-2008-0072
+
+Index: mail/em-format.c
+===================================================================
+--- mail/em-format.c	(revision 35096)
++++ mail/em-format.c	(working copy)
+@@ -1193,7 +1193,7 @@ emf_application_xpkcs7mime(EMFormat *emf
+ 	opart = camel_mime_part_new();
+ 	valid = camel_cipher_decrypt(context, part, opart, ex);
+ 	if (valid == NULL) {
+-		em_format_format_error(emf, stream, ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
++		em_format_format_error(emf, stream, "%s", ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
+ 		em_format_part_as(emf, stream, part, NULL);
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1350,7 +1350,7 @@ emf_multipart_encrypted(EMFormat *emf, C
+ 	if (valid == NULL) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP/MIME message"):_("Could not parse PGP/MIME message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_part_as(emf, stream, part, "multipart/mixed");
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1515,7 +1515,7 @@ emf_multipart_signed(EMFormat *emf, Came
+ 		if (valid == NULL) {
+ 			em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 			if (ex->desc)
+-				em_format_format_error(emf, stream, ex->desc);
++				em_format_format_error(emf, stream, "%s", ex->desc);
+ 			em_format_part_as(emf, stream, part, "multipart/mixed");
+ 		} else {
+ 			if (emfc == NULL)
+@@ -1586,7 +1586,7 @@ emf_inlinepgp_signed(EMFormat *emf, Came
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);
+@@ -1658,7 +1658,7 @@ emf_inlinepgp_encrypted(EMFormat *emf, C
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP message"):_("Could not parse PGP message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);

More information about the arch-commits mailing list