don't display the URL when fetching calendars, it could contain
credentials (CVE-2012-5527), patch from upstream bump PKGREV
This commit is contained in:
parent
0d2bcc8bc2
commit
f2c5f61652
5 changed files with 123 additions and 3 deletions
|
@ -1,9 +1,9 @@
|
|||
# $NetBSD: Makefile,v 1.36 2012/10/08 23:02:00 adam Exp $
|
||||
# $NetBSD: Makefile,v 1.37 2012/11/29 11:01:15 drochner Exp $
|
||||
#
|
||||
|
||||
DISTNAME= vcalendar-2.0.13
|
||||
PKGNAME= claws-mail-vcalendar-2.0.13
|
||||
PKGREVISION= 4
|
||||
PKGREVISION= 5
|
||||
CATEGORIES= mail
|
||||
MASTER_SITES= http://claws-mail.org/downloads/plugins/
|
||||
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
$NetBSD: distinfo,v 1.14 2012/07/02 19:08:45 drochner Exp $
|
||||
$NetBSD: distinfo,v 1.15 2012/11/29 11:01:16 drochner Exp $
|
||||
|
||||
SHA1 (vcalendar-2.0.13.tar.gz) = 082fde227e6cb3514bab53423718331174e6617c
|
||||
RMD160 (vcalendar-2.0.13.tar.gz) = a34846aa714f076792934bd8ea794f5d0db72ba2
|
||||
Size (vcalendar-2.0.13.tar.gz) = 861524 bytes
|
||||
SHA1 (patch-CVE-2012-5527_1) = 221b291b5fd879a95f156a2482c6f8a8fd7c1fd1
|
||||
SHA1 (patch-CVE-2012-5527_2) = 24b15b3bde4f70103cf2def205d1c7994dcc8b67
|
||||
SHA1 (patch-CVE-2012-5527_3) = a4d5df429262b681e67599b0377ba9b8107ea201
|
||||
|
|
67
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1
Normal file
67
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_1
Normal file
|
@ -0,0 +1,67 @@
|
|||
$NetBSD: patch-CVE-2012-5527_1,v 1.1 2012/11/29 11:01:16 drochner Exp $
|
||||
|
||||
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
|
||||
|
||||
--- src/vcal_folder.c.orig 2011-11-16 05:41:53.000000000 +0000
|
||||
+++ src/vcal_folder.c
|
||||
@@ -1609,7 +1609,7 @@ void *url_read_thread(void *data)
|
||||
return GINT_TO_POINTER(0);
|
||||
}
|
||||
|
||||
-gchar *vcal_curl_read(const char *url, gboolean verbose,
|
||||
+gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose,
|
||||
void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
|
||||
{
|
||||
gchar *result;
|
||||
@@ -1618,25 +1618,19 @@ gchar *vcal_curl_read(const char *url, g
|
||||
pthread_t pt;
|
||||
pthread_attr_t pta;
|
||||
#endif
|
||||
- gchar *msg;
|
||||
void *res;
|
||||
gboolean killed;
|
||||
gchar *error = NULL;
|
||||
result = NULL;
|
||||
td = g_new0(thread_data, 1);
|
||||
- msg = NULL;
|
||||
res = NULL;
|
||||
killed = FALSE;
|
||||
-
|
||||
+
|
||||
td->url = url;
|
||||
td->result = NULL;
|
||||
td->done = FALSE;
|
||||
-
|
||||
- msg = g_strdup_printf(_("Fetching '%s'..."), url);
|
||||
-
|
||||
- STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
|
||||
-
|
||||
- g_free(msg);
|
||||
+
|
||||
+ STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
if (pthread_attr_init(&pta) != 0 ||
|
||||
@@ -1868,7 +1862,8 @@ static void update_subscription_finish(c
|
||||
static void update_subscription(const gchar *uri, gboolean verbose)
|
||||
{
|
||||
FolderItem *item = get_folder_item_for_uri(uri);
|
||||
-
|
||||
+ gchar *label;
|
||||
+
|
||||
if (prefs_common_get_prefs()->work_offline) {
|
||||
if (!verbose ||
|
||||
!inc_offline_should_override(TRUE,
|
||||
@@ -1882,7 +1877,11 @@ static void update_subscription(const gc
|
||||
return;
|
||||
}
|
||||
main_window_cursor_wait(mainwindow_get_mainwindow());
|
||||
- vcal_curl_read(uri, verbose, update_subscription_finish);
|
||||
+
|
||||
+ label = g_strdup_printf(_("Fetching calendar for %s..."),
|
||||
+ item && item->name ? item->name : _("new subscription"));
|
||||
+ vcal_curl_read(uri, label, verbose, update_subscription_finish);
|
||||
+ g_free(label);
|
||||
}
|
||||
|
||||
static void check_subs_cb(GtkAction *action, gpointer data)
|
13
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2
Normal file
13
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_2
Normal file
|
@ -0,0 +1,13 @@
|
|||
$NetBSD: patch-CVE-2012-5527_2,v 1.1 2012/11/29 11:01:16 drochner Exp $
|
||||
|
||||
--- src/vcal_folder.h.orig 2011-11-16 05:41:53.000000000 +0000
|
||||
+++ src/vcal_folder.h
|
||||
@@ -36,7 +36,7 @@ GSList * vcal_folder_get_webcal_events_f
|
||||
void vcal_folder_export(Folder *folder);
|
||||
|
||||
gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
|
||||
-gchar *vcal_curl_read(const char *url, gboolean verbose,
|
||||
+gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose,
|
||||
void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
|
||||
*error));
|
||||
gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
|
37
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3
Normal file
37
mail/claws-mail-vcalendar/patches/patch-CVE-2012-5527_3
Normal file
|
@ -0,0 +1,37 @@
|
|||
$NetBSD: patch-CVE-2012-5527_3,v 1.1 2012/11/29 11:01:16 drochner Exp $
|
||||
|
||||
--- src/vcal_meeting_gtk.c.orig 2011-10-30 21:24:29.000000000 +0000
|
||||
+++ src/vcal_meeting_gtk.c
|
||||
@@ -1085,7 +1085,7 @@ static gboolean check_attendees_availabi
|
||||
|
||||
if (!local_only) {
|
||||
remail = g_strdup(email);
|
||||
- g_free(email);
|
||||
+
|
||||
extract_address(remail);
|
||||
if (strrchr(remail, ' '))
|
||||
user = g_strdup(strrchr(remail, ' ')+1);
|
||||
@@ -1125,17 +1125,22 @@ static gboolean check_attendees_availabi
|
||||
&& strncmp(tmp, "ftp://", 6))
|
||||
contents = file_read_to_str(tmp);
|
||||
else {
|
||||
+ gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
|
||||
if (!strncmp(tmp, "webcal://", 9)) {
|
||||
gchar *tmp2 = g_strdup_printf("http://%s", tmp+9);
|
||||
g_free(tmp);
|
||||
tmp = tmp2;
|
||||
}
|
||||
- contents = vcal_curl_read(tmp, FALSE, NULL);
|
||||
+ contents = vcal_curl_read(tmp, label, FALSE, NULL);
|
||||
+ g_free(label);
|
||||
}
|
||||
} else {
|
||||
contents = NULL;
|
||||
}
|
||||
+
|
||||
+ g_free(email);
|
||||
g_free(tmp);
|
||||
+
|
||||
if (contents == NULL) {
|
||||
uncertain = TRUE;
|
||||
att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));
|
Loading…
Reference in a new issue