Security fix for "Encrypted Message Version Format String Vulnerability". Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86

(Portage version: 2.1.4.4, RepoMan options: --force)
author: Mart Raudsepp <leio@gentoo.org> 2008-03-05 09:04:30 +0000
committer: Mart Raudsepp <leio@gentoo.org> 2008-03-05 09:04:30 +0000
commit: 05d6784ce3704e53d5a07864964c80f0382b0bcd (patch)
tree: b09f24b1438630688c22be66b08fac6aa6a77126 /mail-client
parent: version bump (diff)
download: gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.tar.gz
gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.tar.bz2
gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.zip
3 files changed, 244 insertions, 1 deletions
diff --git a/mail-client/evolution/ChangeLog b/mail-client/evolution/ChangeLog
index f76e3033227f..26b3a6021173 100644
--- a/mail-client/evolution/ChangeLog
+++ b/mail-client/evolution/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for mail-client/evolution
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/ChangeLog,v 1.225 2008/02/04 04:09:08 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/ChangeLog,v 1.226 2008/03/05 09:04:29 leio Exp $
+
+*evolution-2.12.3-r1 (05 Mar 2008)
+
+  05 Mar 2008; Mart Raudsepp <leio@gentoo.org>
+  +files/evolution-CVE-2008-0072.patch, +evolution-2.12.3-r1.ebuild:
+  Security fix for "Encrypted Message Version Format String Vulnerability".
+  Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86
 
   04 Feb 2008; Jeroen Roovers <jer@gentoo.org> evolution-2.12.2.ebuild:
   Stable for HPPA (bug #208366).
diff --git a/mail-client/evolution/evolution-2.12.3-r1.ebuild b/mail-client/evolution/evolution-2.12.3-r1.ebuild
new file mode 100644
index 000000000000..4b428818adea
--- /dev/null
+++ b/mail-client/evolution/evolution-2.12.3-r1.ebuild
@@ -0,0 +1,175 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/evolution-2.12.3-r1.ebuild,v 1.1 2008/03/05 09:04:29 leio Exp $
+EAPI="1"
+
+inherit gnome2 flag-o-matic
+
+DESCRIPTION="Integrated mail, addressbook and calendaring functionality"
+HOMEPAGE="http://www.gnome.org/projects/evolution/"
+SRC_URI="${SRC_URI}"
+
+LICENSE="GPL-2 FDL-1.1"
+SLOT="2.0"
+KEYWORDS="alpha amd64 hppa ia64 ~ppc ppc64 sparc x86 ~x86-fbsd"
+# gstreamer for audio-inline, when it uses 0.10
+IUSE="crypt dbus debug doc hal ipv6 kerberos krb4 ldap mono networkmanager nntp pda profile spell ssl"
+
+# Pango dependency required to avoid font rendering problems
+RDEPEND="
+	>=x11-libs/gtk+-2.10
+	>=gnome-extra/evolution-data-server-1.11.90
+	>=x11-themes/gnome-icon-theme-1.2
+	>=gnome-base/gnome-vfs-2.4
+	>=gnome-base/libbonoboui-2.4.2
+	>=gnome-base/libbonobo-2.16
+	>=gnome-extra/gtkhtml-3.16
+	>=gnome-base/gconf-2
+	>=gnome-base/libglade-2
+	>=gnome-base/libgnomecanvas-2
+	>=gnome-base/libgnomeui-2
+	>=dev-libs/libxml2-2
+	dbus? ( dev-libs/dbus-glib )
+	hal? ( >=sys-apps/hal-0.5.4 )
+	x11-libs/libnotify
+	pda? (
+		>=app-pda/gnome-pilot-2.0.15
+		>=app-pda/gnome-pilot-conduits-2 )
+	dev-libs/atk
+	ssl? (
+		>=dev-libs/nspr-4.6.1
+		>=dev-libs/nss-3.11 )
+	networkmanager? ( net-misc/networkmanager )
+	>=net-libs/libsoup-2.2.96:2.2
+	kerberos? ( virtual/krb5 )
+	krb4? ( virtual/krb5 )
+	>=dev-libs/glib-2.10
+	>=gnome-base/orbit-2.9.8
+	spell? ( >=app-text/gnome-spell-1.0.5 )
+	crypt? ( || ( >=app-crypt/gnupg-2.0.1-r2 =app-crypt/gnupg-1.4* ) )
+	ldap? ( >=net-nds/openldap-2 )
+	mono? ( >=dev-lang/mono-1 )"
+#	gstreamer? (
+#		>=media-libs/gstreamer-0.10
+#		>=media-libs/gst-plugins-base-0.10 )
+
+DEPEND="${RDEPEND}
+	>=dev-util/pkgconfig-0.16
+	>=dev-util/intltool-0.35.5
+	sys-devel/gettext
+	sys-devel/bison
+	app-text/scrollkeeper
+	>=gnome-base/gnome-common-2.12.0
+	>=app-text/gnome-doc-utils-0.9.1
+	doc? ( >=dev-util/gtk-doc-0.6 )"
+
+DOCS="AUTHORS ChangeLog* HACKING MAINTAINERS NEWS* README"
+ELTCONF="--reverse-deps"
+
+pkg_setup() {
+	G2CONF="--without-kde-applnk-path        \
+		--enable-plugins=experimental    \
+		$(use_enable ssl nss)            \
+		$(use_enable ssl smime)          \
+		$(use_enable ipv6)               \
+		$(use_enable mono)               \
+		$(use_enable nntp)               \
+		$(use_enable pda pilot-conduits) \
+		$(use_enable profile profiling)  \
+		$(use_with ldap openldap)        \
+		$(use_with kerberos krb5 /usr)"
+
+	# We need a graphical pinentry frontend to be able to ask for the GPG
+	# password from inside evolution, bug 160302
+	if use crypt && has_version '>=app-crypt/gnupg-2.0.1-r2'; then
+		if ! built_with_use -o app-crypt/pinentry gtk qt3; then
+			die "You must build app-crypt/pinentry with GTK or QT3 support"
+		fi
+	fi
+
+	if use krb4 && ! built_with_use virtual/krb5 krb4; then
+		ewarn
+		ewarn "In order to add kerberos 4 support, you have to emerge"
+		ewarn "virtual/krb5 with the 'krb4' USE flag enabled as well."
+		ewarn
+		ewarn "Skipping for now."
+		ewarn
+		G2CONF="${G2CONF} --without-krb4"
+	else
+		G2CONF="${G2CONF} $(use_with krb4 krb4 /usr)"
+	fi
+
+	# dang - I've changed this to do --enable-plugins=experimental.  This will autodetect
+	# new-mail-notify and exchange, but that cannot be helped for the moment.
+	# They should be changed to depend on a --enable-<foo> like mono is.  This
+	# cleans up a ton of crap from this ebuild.
+}
+
+src_unpack() {
+	gnome2_src_unpack
+
+	# Mail-remote doesn't build
+	epatch "${FILESDIR}"/${PN}-2.12.1-mail-remote-broken.patch
+
+	# Fix timezone offsets on fbsd.  bug #183708
+	epatch "${FILESDIR}"/${PN}-2.10.2-fbsd.patch
+
+	# Fix CVE-2008-0072
+	epatch "${FILESDIR}"/${PN}-CVE-2008-0072.patch
+
+	# Fix tests (again)
+	echo "evolution-addressbook.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-calendar.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-composer-entries.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-event-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-global.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-list.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-message.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-messagedisplay.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-memo-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-memos.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-message-composer.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-signature-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-subscribe.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-task-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-tasks.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution.xml" >> "${S}"/po/POTFILES.in
+}
+
+src_compile() {
+	# Use NSS/NSPR only if 'ssl' is enabled.
+	if use ssl ; then
+		sed -i -e "s|mozilla-nss|nss|
+			s|mozilla-nspr|nspr|" "${S}"/configure
+		G2CONF="${G2CONF} --enable-nss=yes"
+	else
+		G2CONF="${G2CONF} --without-nspr-libs --without-nspr-includes \
+			--without-nss-libs --without-nss-includes"
+	fi
+
+	# problems with -O3 on gcc-3.3.1
+	replace-flags -O3 -O2
+
+	if [ "${ARCH}" = "hppa" ]; then
+		append-flags "-fPIC -ffunction-sections"
+		export LDFLAGS="-ffunction-sections -Wl,--stub-group-size=25000"
+	fi
+
+	gnome2_src_compile
+}
+
+pkg_postinst() {
+	gnome2_pkg_postinst
+
+	elog "To change the default browser if you are not using GNOME, do:"
+	elog "gconftool-2 --set /desktop/gnome/url-handlers/http/command -t string 'mozilla %s'"
+	elog "gconftool-2 --set /desktop/gnome/url-handlers/https/command -t string 'mozilla %s'"
+	elog ""
+	elog "Replace 'mozilla %s' with which ever browser you use."
+	elog ""
+	elog "Junk filters are now a run-time choice. You will get a choice of"
+	elog "bogofilter or spamassassin based on which you have installed"
+	elog ""
+	elog "You have to install one of these for the spam filtering to actually work"
+}
diff --git a/mail-client/evolution/files/evolution-CVE-2008-0072.patch b/mail-client/evolution/files/evolution-CVE-2008-0072.patch
new file mode 100644
index 000000000000..7c371189c486
--- /dev/null
+++ b/mail-client/evolution/files/evolution-CVE-2008-0072.patch
@@ -0,0 +1,61 @@
+A format string error in the "emf_multipart_encrypted()" function in
+mail/em-format.c when displaying the "Version:" field from an encrypted
+e-mail message can be exploited to execute arbitrary code via a
+specially crafted e-mail message.
+
+Successful exploitation requires that the user opens a malicious e-mail
+message.
+
+Ulf Harnhammar, Secunia Research.
+
+SA29057 and CVE-2008-0072
+
+Index: mail/em-format.c
+===================================================================
+--- mail/em-format.c	(revision 35096)
++++ mail/em-format.c	(working copy)
+@@ -1193,7 +1193,7 @@ emf_application_xpkcs7mime(EMFormat *emf
+ 	opart = camel_mime_part_new();
+ 	valid = camel_cipher_decrypt(context, part, opart, ex);
+ 	if (valid == NULL) {
+-		em_format_format_error(emf, stream, ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
++		em_format_format_error(emf, stream, "%s", ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
+ 		em_format_part_as(emf, stream, part, NULL);
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1350,7 +1350,7 @@ emf_multipart_encrypted(EMFormat *emf, C
+ 	if (valid == NULL) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP/MIME message"):_("Could not parse PGP/MIME message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_part_as(emf, stream, part, "multipart/mixed");
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1515,7 +1515,7 @@ emf_multipart_signed(EMFormat *emf, Came
+ 		if (valid == NULL) {
+ 			em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 			if (ex->desc)
+-				em_format_format_error(emf, stream, ex->desc);
++				em_format_format_error(emf, stream, "%s", ex->desc);
+ 			em_format_part_as(emf, stream, part, "multipart/mixed");
+ 		} else {
+ 			if (emfc == NULL)
+@@ -1586,7 +1586,7 @@ emf_inlinepgp_signed(EMFormat *emf, Came
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);
+@@ -1658,7 +1658,7 @@ emf_inlinepgp_encrypted(EMFormat *emf, C
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP message"):_("Could not parse PGP message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);
author	Mart Raudsepp <leio@gentoo.org>	2008-03-05 09:04:30 +0000
committer	Mart Raudsepp <leio@gentoo.org>	2008-03-05 09:04:30 +0000
commit	05d6784ce3704e53d5a07864964c80f0382b0bcd (patch)
tree	b09f24b1438630688c22be66b08fac6aa6a77126 /mail-client
parent	version bump (diff)
download	gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.tar.gz gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.tar.bz2 gentoo-2-05d6784ce3704e53d5a07864964c80f0382b0bcd.zip