From dc48eb17013154887ad47c50138ab721ad55c140e1b9903673aa4111e24bf822 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 5 Jun 2008 15:24:27 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/evolution?expand=0&rev=38 --- bgo-395708_prefer-plain.patch | 48 ++++ bnc-394441-exchange-addbook-crash.diff | 10 + bug-394641_evo-CVE-2008-1108.diff | 311 +++++++++++++++++++++++++ bug-394641_evo-CVE-2008-1109.diff | 62 +++++ evolution.changes | 10 + evolution.spec | 18 +- 6 files changed, 458 insertions(+), 1 deletion(-) create mode 100644 bgo-395708_prefer-plain.patch create mode 100644 bnc-394441-exchange-addbook-crash.diff create mode 100644 bug-394641_evo-CVE-2008-1108.diff create mode 100644 bug-394641_evo-CVE-2008-1109.diff diff --git a/bgo-395708_prefer-plain.patch b/bgo-395708_prefer-plain.patch new file mode 100644 index 0000000..d280244 --- /dev/null +++ b/bgo-395708_prefer-plain.patch @@ -0,0 +1,48 @@ +--- plugins/prefer-plain/prefer-plain.c 2008/05/27 04:17:04 35553 ++++ plugins/prefer-plain/prefer-plain.c 2008/05/27 12:38:24 35554 +@@ -99,20 +99,41 @@ + int i, nparts, partidlen, displayid = 0; + + if (epp_mode == EPP_NORMAL) { ++ gboolean have_plain = FALSE; ++ + /* Try to find text/html part even when not as last and force to show it. + Old handler will show the last part of multipart/alternate, but if we +- can offer HTML, then offer it, regardless of position in multipart. */ ++ can offer HTML, then offer it, regardless of position in multipart. ++ But do this only when have text/plain in a list, because otherwise it ++ can be something else (like outlooks meeting invites with only text/html ++ part and calendar part). ++ */ + nparts = camel_multipart_get_number (mp); + for (i = 0; i < nparts; i++) { ++ CamelContentType *content_type; ++ + part = camel_multipart_get_part (mp, i); +- if (part && camel_content_type_is (camel_mime_part_get_content_type (part), "text", "html")) { ++ ++ if (!part) ++ continue; ++ ++ content_type = camel_mime_part_get_content_type (part); ++ ++ if (camel_content_type_is (content_type, "text", "html")) { + displayid = i; + display_part = part; +- break; ++ ++ if (have_plain) ++ break; ++ } else if (camel_content_type_is (content_type, "text", "plain")) { ++ have_plain = TRUE; ++ ++ if (display_part) ++ break; + } + } + +- if (display_part) { ++ if (display_part && have_plain) { + g_string_append_printf (t->format->part_id, ".alternative.%d", displayid); + em_format_part_as (t->format, t->stream, display_part, "text/html"); + g_string_truncate (t->format->part_id, partidlen); diff --git a/bnc-394441-exchange-addbook-crash.diff b/bnc-394441-exchange-addbook-crash.diff new file mode 100644 index 0000000..e871330 --- /dev/null +++ b/bnc-394441-exchange-addbook-crash.diff @@ -0,0 +1,10 @@ +--- plugins/exchange-operations/exchange-contacts.c 2008-05-02 01:25:38.000000000 +0530 ++++ plugins/exchange-operations/exchange-contacts.c 2008-05-26 16:28:51.000000000 +0530 +@@ -491,6 +491,7 @@ e_exchange_contacts_commit (EPlugin *epl + if (authtype) { + e_source_set_property (source, "auth-type", authtype); + g_free (authtype); ++ authtype=NULL; + } + e_source_set_property (source, "auth", "plain/password"); + if (rename) { diff --git a/bug-394641_evo-CVE-2008-1108.diff b/bug-394641_evo-CVE-2008-1108.diff new file mode 100644 index 0000000..0480044 --- /dev/null +++ b/bug-394641_evo-CVE-2008-1108.diff @@ -0,0 +1,311 @@ +Index: calendar/gui/e-itip-control.c +=================================================================== +--- calendar/gui/e-itip-control.c (revision 35555) ++++ calendar/gui/e-itip-control.c (working copy) +@@ -660,7 +660,7 @@ find_attendee (icalcomponent *ical_comp, + + static void + write_label_piece (EItipControl *itip, ECalComponentDateTime *dt, +- char *buffer, int size, ++ GString *buffer, + const char *stext, const char *etext, + gboolean just_date) + { +@@ -685,13 +685,13 @@ write_label_piece (EItipControl *itip, E + tmp_tm.tm_hour = tmp_tm.tm_min = tmp_tm.tm_sec = 0; + + if (stext != NULL) +- strcat (buffer, stext); ++ g_string_append (buffer, stext); + + e_time_format_date_and_time (&tmp_tm, + calendar_config_get_24_hour_format (), + FALSE, FALSE, + time_buf, sizeof (time_buf)); +- strcat (buffer, time_buf); ++ g_string_append (buffer, time_buf); + + if (!dt->value->is_utc && dt->tzid) { + zone = icalcomponent_get_timezone (priv->top_level, dt->tzid); +@@ -703,21 +703,21 @@ write_label_piece (EItipControl *itip, E + UTF-8. But it probably is not translated. */ + display_name = icaltimezone_get_display_name (zone); + if (display_name && *display_name) { +- strcat (buffer, " ["); ++ g_string_append_len (buffer, " [", 16); + + /* We check if it is one of our builtin timezone names, + in which case we call gettext to translate it. */ + if (icaltimezone_get_builtin_timezone (display_name)) { +- strcat (buffer, _(display_name)); ++ g_string_append_printf (buffer, "%s", _(display_name)); + } else { +- strcat (buffer, display_name); ++ g_string_append_printf (buffer, "%s", display_name); + } +- strcat (buffer, "]"); ++ g_string_append_len (buffer, "]", 8); + } + } + + if (etext != NULL) +- strcat (buffer, etext); ++ g_string_append (buffer, etext); + } + + static const char * +@@ -754,19 +754,17 @@ get_dayname (struct icalrecurrencetype * + + static void + write_recurrence_piece (EItipControl *itip, ECalComponent *comp, +- char *buffer, int size) ++ GString *buffer) + { + GSList *rrules; + struct icalrecurrencetype *r; +- int len, i; ++ int i; + +- strcpy (buffer, "Recurring: "); +- len = strlen (buffer); +- buffer += len; +- size -= len; ++ g_string_append_len (buffer, "Recurring: ", 18); + + if (!e_cal_component_has_simple_recurrence (comp)) { +- strcpy (buffer, _("Yes. (Complex Recurrence)")); ++ g_string_append_printf ( ++ buffer, "%s", _("Yes. (Complex Recurrence)")); + return; + } + +@@ -782,7 +780,10 @@ write_recurrence_piece (EItipControl *it + Every %d day/days" */ + /* For Translators : 'Every day' is event Recurring every day */ + /* For Translators : 'Every %d days' is event Recurring every %d days. %d is a digit */ +- sprintf (buffer, ngettext("Every day", "Every %d days", r->interval), r->interval); ++ g_string_append_printf ( ++ buffer, ngettext ("Every day", ++ "Every %d days", r->interval), ++ r->interval); + break; + + case ICAL_WEEKLY_RECURRENCE: +@@ -792,29 +793,36 @@ write_recurrence_piece (EItipControl *it + Every %d week/weeks" */ + /* For Translators : 'Every week' is event Recurring every week */ + /* For Translators : 'Every %d weeks' is event Recurring every %d weeks. %d is a digit */ +- sprintf (buffer, ngettext("Every week", "Every %d weeks", r->interval), r->interval); ++ g_string_append_printf ( ++ buffer, ngettext ("Every week", ++ "Every %d weeks", r->interval), ++ r->interval); + } else { + /* For Translators : 'Every week on' is event Recurring every week on (dayname) and (dayname) and (dayname) */ + /* For Translators : 'Every %d weeks on' is event Recurring: every %d weeks on (dayname) and (dayname). %d is a digit */ +- sprintf (buffer, ngettext("Every week on ", "Every %d weeks on ", r->interval), r->interval); ++ g_string_append_printf ( ++ buffer, ngettext ("Every week on ", ++ "Every %d weeks on ", r->interval), ++ r->interval); + + for (i = 1; i < 8 && r->by_day[i] != ICAL_RECURRENCE_ARRAY_MAX; i++) { + if (i > 1) +- strcat (buffer, ", "); +- strcat (buffer, get_dayname (r, i - 1)); ++ g_string_append_len (buffer, ", ", 2); ++ g_string_append (buffer, get_dayname (r, i - 1)); + } + if (i > 1) + /* For Translators : 'and' is part of the sentence 'event recurring every week on (dayname) and (dayname)' */ +- strcat (buffer, _(" and ")); +- strcat (buffer, get_dayname (r, i - 1)); ++ g_string_append_printf (buffer, "%s", _(" and ")); ++ g_string_append (buffer, get_dayname (r, i - 1)); + } + break; + + case ICAL_MONTHLY_RECURRENCE: + if (r->by_month_day[0] != ICAL_RECURRENCE_ARRAY_MAX) { + /* For Translators : 'The %s day of' is part of the sentence 'event recurring on the (nth) day of every month.' */ +- sprintf (buffer, _("The %s day of "), +- nth (r->by_month_day[0])); ++ g_string_append_printf ( ++ buffer, _("The %s day of "), ++ nth (r->by_month_day[0])); + } else { + int pos; + +@@ -828,20 +836,21 @@ write_recurrence_piece (EItipControl *it + + /* For Translators : 'The %s %s of' is part of the sentence 'event recurring on the (nth) (dayname) of every month.' + eg,third monday of every month */ +- sprintf (buffer, _("The %s %s of "), +- nth (pos), get_dayname (r, 0)); ++ g_string_append_printf ( ++ buffer, _("The %s %s of "), ++ nth (pos), get_dayname (r, 0)); + } + +- len = strlen (buffer); +- buffer += len; +- size -= len; + /* For Translators: In this can also be translated as "With the period of %d + month/months", where %d is a number. The entire sentence is of the form "Recurring: + Every %d month/months" */ + /* For Translators : 'every month' is part of the sentence 'event recurring on the (nth) day of every month.' */ + /* For Translators : 'every %d months' is part of the sentence 'event recurring on the (nth) day of every %d months.' + %d is a digit */ +- sprintf (buffer, ngettext("every month","every %d months", r->interval), r->interval); ++ g_string_append_printf ( ++ buffer, ngettext ("every month", ++ "every %d months", r->interval), ++ r->interval); + break; + + case ICAL_YEARLY_RECURRENCE: +@@ -850,20 +859,22 @@ write_recurrence_piece (EItipControl *it + Every %d year/years" */ + /* For Translators : 'Every year' is event Recurring every year */ + /* For Translators : 'Every %d years' is event Recurring every %d years. %d is a digit */ +- sprintf (buffer, ngettext("Every year", "Every %d years", r->interval), r->interval); ++ g_string_append_printf ( ++ buffer, ngettext ("Every year", ++ "Every %d years", r->interval), ++ r->interval); + break; + + default: + g_return_if_reached (); + } + +- len = strlen (buffer); +- buffer += len; +- size -= len; + if (r->count) { + /* For Translators:'a total of %d time' is part of the sentence of the form 'event recurring every day,a total of % time.' %d is a digit*/ + /* For Translators:'a total of %d times' is part of the sentence of the form 'event recurring every day,a total of % times.' %d is a digit*/ +- sprintf (buffer, ngettext("a total of %d time", " a total of %d times", r->count), r->count); ++ g_string_append_printf ( ++ buffer, ngettext ("a total of %d time", ++ " a total of %d times", r->count), r->count); + } else if (!icaltime_is_null_time (r->until)) { + ECalComponentDateTime dt; + +@@ -871,12 +882,12 @@ write_recurrence_piece (EItipControl *it + dt.value = &r->until; + dt.tzid = icaltimezone_get_tzid ((icaltimezone *)r->until.zone); + +- write_label_piece (itip, &dt, buffer, size, ++ write_label_piece (itip, &dt, buffer, + /* For Translators : ', ending on' is part of the sentence of the form 'event recurring every day, ending on (date).'*/ + _(", ending on "), NULL, TRUE); + } + +- strcat (buffer, "
"); ++ g_string_append_len (buffer, "
", 4); + } + + static void +@@ -884,47 +895,51 @@ set_date_label (EItipControl *itip, GtkH + ECalComponent *comp) + { + ECalComponentDateTime datetime; +- static char buffer[1024]; ++ GString *buffer; + gchar *str; + gboolean wrote = FALSE, task_completed = FALSE; + ECalComponentVType type; + ++ buffer = g_string_sized_new (1024); + type = e_cal_component_get_vtype (comp); + +- buffer[0] = '\0'; + e_cal_component_get_dtstart (comp, &datetime); + if (datetime.value) { + /* For Translators : 'starts' is starts:date implying a task starts on what date */ + str = g_strdup_printf ("%s:", _("Starts")); +- write_label_piece (itip, &datetime, buffer, 1024, +- str, +- "
", FALSE); +- gtk_html_write (html, html_stream, buffer, strlen(buffer)); ++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE); ++ gtk_html_write (html, html_stream, buffer->str, buffer->len); + wrote = TRUE; + g_free (str); + } + e_cal_component_free_datetime (&datetime); + +- buffer[0] = '\0'; ++ /* Reset the buffer. */ ++ g_string_truncate (buffer, 0); ++ + e_cal_component_get_dtend (comp, &datetime); + if (datetime.value){ + /* For Translators : 'ends' is ends:date implying a task ends on what date */ + str = g_strdup_printf ("%s:", _("Ends")); +- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE); +- gtk_html_write (html, html_stream, buffer, strlen (buffer)); ++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE); ++ gtk_html_write (html, html_stream, buffer->str, buffer->len); + wrote = TRUE; + g_free (str); + } + e_cal_component_free_datetime (&datetime); + +- buffer[0] = '\0'; ++ /* Reset the buffer. */ ++ g_string_truncate (buffer, 0); ++ + if (e_cal_component_has_recurrences (comp)) { +- write_recurrence_piece (itip, comp, buffer, 1024); +- gtk_html_write (html, html_stream, buffer, strlen (buffer)); ++ write_recurrence_piece (itip, comp, buffer); ++ gtk_html_write (html, html_stream, buffer->str, buffer->len); + wrote = TRUE; + } + +- buffer[0] = '\0'; ++ /* Reset the buffer. */ ++ g_string_truncate (buffer, 0); ++ + datetime.tzid = NULL; + e_cal_component_get_completed (comp, &datetime.value); + if (type == E_CAL_COMPONENT_TODO && datetime.value) { +@@ -932,20 +947,22 @@ set_date_label (EItipControl *itip, GtkH + timezone. */ + str = g_strdup_printf ("%s:", _("Completed")); + datetime.value->is_utc = TRUE; +- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE); +- gtk_html_write (html, html_stream, buffer, strlen (buffer)); ++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE); ++ gtk_html_write (html, html_stream, buffer->str, buffer->len); + wrote = TRUE; + task_completed = TRUE; + g_free (str); + } + e_cal_component_free_datetime (&datetime); + +- buffer[0] = '\0'; ++ /* Reset the buffer. */ ++ g_string_truncate (buffer, 0); ++ + e_cal_component_get_due (comp, &datetime); + if (type == E_CAL_COMPONENT_TODO && !task_completed && datetime.value) { + str = g_strdup_printf ("%s:", _("Due")); +- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE); +- gtk_html_write (html, html_stream, buffer, strlen (buffer)); ++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE); ++ gtk_html_write (html, html_stream, buffer->str, buffer->len); + wrote = TRUE; + g_free (str); + } +@@ -954,6 +971,8 @@ set_date_label (EItipControl *itip, GtkH + + if (wrote) + gtk_html_stream_printf (html_stream, "
"); ++ ++ g_string_free (buffer, TRUE); + } + + static void diff --git a/bug-394641_evo-CVE-2008-1109.diff b/bug-394641_evo-CVE-2008-1109.diff new file mode 100644 index 0000000..4e0626b --- /dev/null +++ b/bug-394641_evo-CVE-2008-1109.diff @@ -0,0 +1,62 @@ +Index: calendar/gui/itip-utils.c +=================================================================== +--- calendar/gui/itip-utils.c (revision 35555) ++++ calendar/gui/itip-utils.c (working copy) +@@ -172,50 +172,16 @@ get_attendee_if_attendee_sentby_is_user + } + + static char * +-html_new_lines_for (char *string) ++html_new_lines_for (const char *string) + { +- char *html_string = (char *) malloc (sizeof (char)* (3500)); +- int length = strlen (string); +- int index = 0; +- char *index_ptr = string; +- char *temp = string; ++ gchar **lines; ++ gchar *joined; + +- /*Find the first occurence*/ +- index_ptr = strstr ((const char *)temp, "\n"); ++ lines = g_strsplit_set (string, "\n", -1); ++ joined = g_strjoinv ("
", lines); ++ g_strfreev (lines); + +- /*Doesn't occur*/ +- if (index_ptr == NULL) { +- strcpy (html_string, (const char *)string); +- html_string[length] = '\0'; +- return html_string; +- } +- +- /*Split into chunks inserting
for \n */ +- do{ +- while (temp != index_ptr){ +- html_string[index++] = *temp; +- temp++; +- } +- temp++; +- +- html_string[index++] = '<'; +- html_string[index++] = 'b'; +- html_string[index++] = 'r'; +- html_string[index++] = '>'; +- +- index_ptr = strstr ((const char *)temp, "\n"); +- +- } while (index_ptr); +- +- /*Don't leave out the last chunk*/ +- while (*temp != '\0'){ +- html_string[index++] = *temp; +- temp++; +- } +- +- html_string[index] = '\0'; +- +- return html_string; ++ return joined; + } + + char * diff --git a/evolution.changes b/evolution.changes index d9660fd..d853786 100644 --- a/evolution.changes +++ b/evolution.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jun 2 10:43:43 CEST 2008 - abharath@suse.de +- Added + - bnc#394641 - VUL-0: evolution buffer overflows + Patches Added: + bug-394641_evo-CVE-2008-1108.diff + bug-394641_evo-CVE-2008-1109.diff + - bnc#395708 - bgo-395708_prefer-plain.patch - Outlook meeting invites look as text messages + - bnc#394441 - bnc-394441-exchange-addbook-crash.diff - Addressbook crash + ------------------------------------------------------------------- Wed May 21 21:27:53 IST 2008 - msuman@suse.de diff --git a/evolution.spec b/evolution.spec index bc28b2c..74885f0 100644 --- a/evolution.spec +++ b/evolution.spec @@ -22,7 +22,7 @@ AutoReqProv: on # BASE_VERSION (as defined in configure.in). %define evolution_base_version 2.22 Version: 2.22.1.1 -Release: 9 +Release: 14 Summary: The Integrated GNOME Mail, Calendar, and Address Book Suite #Source: ftp://ftp.gnome.org/pub/gnome/sources/evolution/2.22/%{name}-%{version}.tar.bz2 Source0: %{name}-%{version}.tar.bz2 @@ -58,6 +58,10 @@ Patch13: bgo-531519-print-preview-crash.patch Patch14: bgo-534012-backup-permission.patch # PATCH-FIX-UPSTREAM bgo-533820-fix-crash-on-border-clicking-meetings.diff bgo#533820 bnc#391993 pchenthill@suse.de -- Patch is in Upstream now Patch15: bgo-533820-fix-crash-on-border-clicking-meetings.diff +Patch16: bnc-394441-exchange-addbook-crash.diff +Patch17: bgo-395708_prefer-plain.patch +Patch18: bug-394641_evo-CVE-2008-1108.diff +Patch19: bug-394641_evo-CVE-2008-1109.diff Url: http://gnome.org/projects/evolution/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: yelp @@ -296,6 +300,10 @@ Authors: %patch13 %patch14 %patch15 +%patch16 +%patch17 +%patch18 +%patch19 %build autoreconf -f -i @@ -407,6 +415,14 @@ fi %{_libdir}/evolution/*/conduits/*.so %changelog +* Mon Jun 02 2008 abharath@suse.de +- Added + - bnc#394641 - VUL-0: evolution buffer overflows + Patches Added: + bug-394641_evo-CVE-2008-1108.diff + bug-394641_evo-CVE-2008-1109.diff + - bnc#395708 - bgo-395708_prefer-plain.patch - Outlook meeting invites look as text messages + - bnc#394441 - bnc-394441-exchange-addbook-crash.diff - Addressbook crash * Wed May 21 2008 msuman@suse.de - Added + bgo-534012-backup-permission.patch (Sankar P)