diff --git a/bgo-395708_prefer-plain.patch b/bgo-395708_prefer-plain.patch
new file mode 100644
index 0000000..d280244
--- /dev/null
+++ b/bgo-395708_prefer-plain.patch
@@ -0,0 +1,48 @@
+--- plugins/prefer-plain/prefer-plain.c 2008/05/27 04:17:04 35553
++++ plugins/prefer-plain/prefer-plain.c 2008/05/27 12:38:24 35554
+@@ -99,20 +99,41 @@
+ int i, nparts, partidlen, displayid = 0;
+
+ if (epp_mode == EPP_NORMAL) {
++ gboolean have_plain = FALSE;
++
+ /* Try to find text/html part even when not as last and force to show it.
+ Old handler will show the last part of multipart/alternate, but if we
+- can offer HTML, then offer it, regardless of position in multipart. */
++ can offer HTML, then offer it, regardless of position in multipart.
++ But do this only when have text/plain in a list, because otherwise it
++ can be something else (like outlooks meeting invites with only text/html
++ part and calendar part).
++ */
+ nparts = camel_multipart_get_number (mp);
+ for (i = 0; i < nparts; i++) {
++ CamelContentType *content_type;
++
+ part = camel_multipart_get_part (mp, i);
+- if (part && camel_content_type_is (camel_mime_part_get_content_type (part), "text", "html")) {
++
++ if (!part)
++ continue;
++
++ content_type = camel_mime_part_get_content_type (part);
++
++ if (camel_content_type_is (content_type, "text", "html")) {
+ displayid = i;
+ display_part = part;
+- break;
++
++ if (have_plain)
++ break;
++ } else if (camel_content_type_is (content_type, "text", "plain")) {
++ have_plain = TRUE;
++
++ if (display_part)
++ break;
+ }
+ }
+
+- if (display_part) {
++ if (display_part && have_plain) {
+ g_string_append_printf (t->format->part_id, ".alternative.%d", displayid);
+ em_format_part_as (t->format, t->stream, display_part, "text/html");
+ g_string_truncate (t->format->part_id, partidlen);
diff --git a/bnc-394441-exchange-addbook-crash.diff b/bnc-394441-exchange-addbook-crash.diff
new file mode 100644
index 0000000..e871330
--- /dev/null
+++ b/bnc-394441-exchange-addbook-crash.diff
@@ -0,0 +1,10 @@
+--- plugins/exchange-operations/exchange-contacts.c 2008-05-02 01:25:38.000000000 +0530
++++ plugins/exchange-operations/exchange-contacts.c 2008-05-26 16:28:51.000000000 +0530
+@@ -491,6 +491,7 @@ e_exchange_contacts_commit (EPlugin *epl
+ if (authtype) {
+ e_source_set_property (source, "auth-type", authtype);
+ g_free (authtype);
++ authtype=NULL;
+ }
+ e_source_set_property (source, "auth", "plain/password");
+ if (rename) {
diff --git a/bug-394641_evo-CVE-2008-1108.diff b/bug-394641_evo-CVE-2008-1108.diff
new file mode 100644
index 0000000..0480044
--- /dev/null
+++ b/bug-394641_evo-CVE-2008-1108.diff
@@ -0,0 +1,311 @@
+Index: calendar/gui/e-itip-control.c
+===================================================================
+--- calendar/gui/e-itip-control.c (revision 35555)
++++ calendar/gui/e-itip-control.c (working copy)
+@@ -660,7 +660,7 @@ find_attendee (icalcomponent *ical_comp,
+
+ static void
+ write_label_piece (EItipControl *itip, ECalComponentDateTime *dt,
+- char *buffer, int size,
++ GString *buffer,
+ const char *stext, const char *etext,
+ gboolean just_date)
+ {
+@@ -685,13 +685,13 @@ write_label_piece (EItipControl *itip, E
+ tmp_tm.tm_hour = tmp_tm.tm_min = tmp_tm.tm_sec = 0;
+
+ if (stext != NULL)
+- strcat (buffer, stext);
++ g_string_append (buffer, stext);
+
+ e_time_format_date_and_time (&tmp_tm,
+ calendar_config_get_24_hour_format (),
+ FALSE, FALSE,
+ time_buf, sizeof (time_buf));
+- strcat (buffer, time_buf);
++ g_string_append (buffer, time_buf);
+
+ if (!dt->value->is_utc && dt->tzid) {
+ zone = icalcomponent_get_timezone (priv->top_level, dt->tzid);
+@@ -703,21 +703,21 @@ write_label_piece (EItipControl *itip, E
+ UTF-8. But it probably is not translated. */
+ display_name = icaltimezone_get_display_name (zone);
+ if (display_name && *display_name) {
+- strcat (buffer, " [");
++ g_string_append_len (buffer, " [", 16);
+
+ /* We check if it is one of our builtin timezone names,
+ in which case we call gettext to translate it. */
+ if (icaltimezone_get_builtin_timezone (display_name)) {
+- strcat (buffer, _(display_name));
++ g_string_append_printf (buffer, "%s", _(display_name));
+ } else {
+- strcat (buffer, display_name);
++ g_string_append_printf (buffer, "%s", display_name);
+ }
+- strcat (buffer, "]");
++ g_string_append_len (buffer, "]", 8);
+ }
+ }
+
+ if (etext != NULL)
+- strcat (buffer, etext);
++ g_string_append (buffer, etext);
+ }
+
+ static const char *
+@@ -754,19 +754,17 @@ get_dayname (struct icalrecurrencetype *
+
+ static void
+ write_recurrence_piece (EItipControl *itip, ECalComponent *comp,
+- char *buffer, int size)
++ GString *buffer)
+ {
+ GSList *rrules;
+ struct icalrecurrencetype *r;
+- int len, i;
++ int i;
+
+- strcpy (buffer, "Recurring: ");
+- len = strlen (buffer);
+- buffer += len;
+- size -= len;
++ g_string_append_len (buffer, "Recurring: ", 18);
+
+ if (!e_cal_component_has_simple_recurrence (comp)) {
+- strcpy (buffer, _("Yes. (Complex Recurrence)"));
++ g_string_append_printf (
++ buffer, "%s", _("Yes. (Complex Recurrence)"));
+ return;
+ }
+
+@@ -782,7 +780,10 @@ write_recurrence_piece (EItipControl *it
+ Every %d day/days" */
+ /* For Translators : 'Every day' is event Recurring every day */
+ /* For Translators : 'Every %d days' is event Recurring every %d days. %d is a digit */
+- sprintf (buffer, ngettext("Every day", "Every %d days", r->interval), r->interval);
++ g_string_append_printf (
++ buffer, ngettext ("Every day",
++ "Every %d days", r->interval),
++ r->interval);
+ break;
+
+ case ICAL_WEEKLY_RECURRENCE:
+@@ -792,29 +793,36 @@ write_recurrence_piece (EItipControl *it
+ Every %d week/weeks" */
+ /* For Translators : 'Every week' is event Recurring every week */
+ /* For Translators : 'Every %d weeks' is event Recurring every %d weeks. %d is a digit */
+- sprintf (buffer, ngettext("Every week", "Every %d weeks", r->interval), r->interval);
++ g_string_append_printf (
++ buffer, ngettext ("Every week",
++ "Every %d weeks", r->interval),
++ r->interval);
+ } else {
+ /* For Translators : 'Every week on' is event Recurring every week on (dayname) and (dayname) and (dayname) */
+ /* For Translators : 'Every %d weeks on' is event Recurring: every %d weeks on (dayname) and (dayname). %d is a digit */
+- sprintf (buffer, ngettext("Every week on ", "Every %d weeks on ", r->interval), r->interval);
++ g_string_append_printf (
++ buffer, ngettext ("Every week on ",
++ "Every %d weeks on ", r->interval),
++ r->interval);
+
+ for (i = 1; i < 8 && r->by_day[i] != ICAL_RECURRENCE_ARRAY_MAX; i++) {
+ if (i > 1)
+- strcat (buffer, ", ");
+- strcat (buffer, get_dayname (r, i - 1));
++ g_string_append_len (buffer, ", ", 2);
++ g_string_append (buffer, get_dayname (r, i - 1));
+ }
+ if (i > 1)
+ /* For Translators : 'and' is part of the sentence 'event recurring every week on (dayname) and (dayname)' */
+- strcat (buffer, _(" and "));
+- strcat (buffer, get_dayname (r, i - 1));
++ g_string_append_printf (buffer, "%s", _(" and "));
++ g_string_append (buffer, get_dayname (r, i - 1));
+ }
+ break;
+
+ case ICAL_MONTHLY_RECURRENCE:
+ if (r->by_month_day[0] != ICAL_RECURRENCE_ARRAY_MAX) {
+ /* For Translators : 'The %s day of' is part of the sentence 'event recurring on the (nth) day of every month.' */
+- sprintf (buffer, _("The %s day of "),
+- nth (r->by_month_day[0]));
++ g_string_append_printf (
++ buffer, _("The %s day of "),
++ nth (r->by_month_day[0]));
+ } else {
+ int pos;
+
+@@ -828,20 +836,21 @@ write_recurrence_piece (EItipControl *it
+
+ /* For Translators : 'The %s %s of' is part of the sentence 'event recurring on the (nth) (dayname) of every month.'
+ eg,third monday of every month */
+- sprintf (buffer, _("The %s %s of "),
+- nth (pos), get_dayname (r, 0));
++ g_string_append_printf (
++ buffer, _("The %s %s of "),
++ nth (pos), get_dayname (r, 0));
+ }
+
+- len = strlen (buffer);
+- buffer += len;
+- size -= len;
+ /* For Translators: In this can also be translated as "With the period of %d
+ month/months", where %d is a number. The entire sentence is of the form "Recurring:
+ Every %d month/months" */
+ /* For Translators : 'every month' is part of the sentence 'event recurring on the (nth) day of every month.' */
+ /* For Translators : 'every %d months' is part of the sentence 'event recurring on the (nth) day of every %d months.'
+ %d is a digit */
+- sprintf (buffer, ngettext("every month","every %d months", r->interval), r->interval);
++ g_string_append_printf (
++ buffer, ngettext ("every month",
++ "every %d months", r->interval),
++ r->interval);
+ break;
+
+ case ICAL_YEARLY_RECURRENCE:
+@@ -850,20 +859,22 @@ write_recurrence_piece (EItipControl *it
+ Every %d year/years" */
+ /* For Translators : 'Every year' is event Recurring every year */
+ /* For Translators : 'Every %d years' is event Recurring every %d years. %d is a digit */
+- sprintf (buffer, ngettext("Every year", "Every %d years", r->interval), r->interval);
++ g_string_append_printf (
++ buffer, ngettext ("Every year",
++ "Every %d years", r->interval),
++ r->interval);
+ break;
+
+ default:
+ g_return_if_reached ();
+ }
+
+- len = strlen (buffer);
+- buffer += len;
+- size -= len;
+ if (r->count) {
+ /* For Translators:'a total of %d time' is part of the sentence of the form 'event recurring every day,a total of % time.' %d is a digit*/
+ /* For Translators:'a total of %d times' is part of the sentence of the form 'event recurring every day,a total of % times.' %d is a digit*/
+- sprintf (buffer, ngettext("a total of %d time", " a total of %d times", r->count), r->count);
++ g_string_append_printf (
++ buffer, ngettext ("a total of %d time",
++ " a total of %d times", r->count), r->count);
+ } else if (!icaltime_is_null_time (r->until)) {
+ ECalComponentDateTime dt;
+
+@@ -871,12 +882,12 @@ write_recurrence_piece (EItipControl *it
+ dt.value = &r->until;
+ dt.tzid = icaltimezone_get_tzid ((icaltimezone *)r->until.zone);
+
+- write_label_piece (itip, &dt, buffer, size,
++ write_label_piece (itip, &dt, buffer,
+ /* For Translators : ', ending on' is part of the sentence of the form 'event recurring every day, ending on (date).'*/
+ _(", ending on "), NULL, TRUE);
+ }
+
+- strcat (buffer, "
");
++ g_string_append_len (buffer, "
", 4);
+ }
+
+ static void
+@@ -884,47 +895,51 @@ set_date_label (EItipControl *itip, GtkH
+ ECalComponent *comp)
+ {
+ ECalComponentDateTime datetime;
+- static char buffer[1024];
++ GString *buffer;
+ gchar *str;
+ gboolean wrote = FALSE, task_completed = FALSE;
+ ECalComponentVType type;
+
++ buffer = g_string_sized_new (1024);
+ type = e_cal_component_get_vtype (comp);
+
+- buffer[0] = '\0';
+ e_cal_component_get_dtstart (comp, &datetime);
+ if (datetime.value) {
+ /* For Translators : 'starts' is starts:date implying a task starts on what date */
+ str = g_strdup_printf ("%s:", _("Starts"));
+- write_label_piece (itip, &datetime, buffer, 1024,
+- str,
+- "
", FALSE);
+- gtk_html_write (html, html_stream, buffer, strlen(buffer));
++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE);
++ gtk_html_write (html, html_stream, buffer->str, buffer->len);
+ wrote = TRUE;
+ g_free (str);
+ }
+ e_cal_component_free_datetime (&datetime);
+
+- buffer[0] = '\0';
++ /* Reset the buffer. */
++ g_string_truncate (buffer, 0);
++
+ e_cal_component_get_dtend (comp, &datetime);
+ if (datetime.value){
+ /* For Translators : 'ends' is ends:date implying a task ends on what date */
+ str = g_strdup_printf ("%s:", _("Ends"));
+- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE);
+- gtk_html_write (html, html_stream, buffer, strlen (buffer));
++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE);
++ gtk_html_write (html, html_stream, buffer->str, buffer->len);
+ wrote = TRUE;
+ g_free (str);
+ }
+ e_cal_component_free_datetime (&datetime);
+
+- buffer[0] = '\0';
++ /* Reset the buffer. */
++ g_string_truncate (buffer, 0);
++
+ if (e_cal_component_has_recurrences (comp)) {
+- write_recurrence_piece (itip, comp, buffer, 1024);
+- gtk_html_write (html, html_stream, buffer, strlen (buffer));
++ write_recurrence_piece (itip, comp, buffer);
++ gtk_html_write (html, html_stream, buffer->str, buffer->len);
+ wrote = TRUE;
+ }
+
+- buffer[0] = '\0';
++ /* Reset the buffer. */
++ g_string_truncate (buffer, 0);
++
+ datetime.tzid = NULL;
+ e_cal_component_get_completed (comp, &datetime.value);
+ if (type == E_CAL_COMPONENT_TODO && datetime.value) {
+@@ -932,20 +947,22 @@ set_date_label (EItipControl *itip, GtkH
+ timezone. */
+ str = g_strdup_printf ("%s:", _("Completed"));
+ datetime.value->is_utc = TRUE;
+- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE);
+- gtk_html_write (html, html_stream, buffer, strlen (buffer));
++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE);
++ gtk_html_write (html, html_stream, buffer->str, buffer->len);
+ wrote = TRUE;
+ task_completed = TRUE;
+ g_free (str);
+ }
+ e_cal_component_free_datetime (&datetime);
+
+- buffer[0] = '\0';
++ /* Reset the buffer. */
++ g_string_truncate (buffer, 0);
++
+ e_cal_component_get_due (comp, &datetime);
+ if (type == E_CAL_COMPONENT_TODO && !task_completed && datetime.value) {
+ str = g_strdup_printf ("%s:", _("Due"));
+- write_label_piece (itip, &datetime, buffer, 1024, str, "
", FALSE);
+- gtk_html_write (html, html_stream, buffer, strlen (buffer));
++ write_label_piece (itip, &datetime, buffer, str, "
", FALSE);
++ gtk_html_write (html, html_stream, buffer->str, buffer->len);
+ wrote = TRUE;
+ g_free (str);
+ }
+@@ -954,6 +971,8 @@ set_date_label (EItipControl *itip, GtkH
+
+ if (wrote)
+ gtk_html_stream_printf (html_stream, "
");
++
++ g_string_free (buffer, TRUE);
+ }
+
+ static void
diff --git a/bug-394641_evo-CVE-2008-1109.diff b/bug-394641_evo-CVE-2008-1109.diff
new file mode 100644
index 0000000..4e0626b
--- /dev/null
+++ b/bug-394641_evo-CVE-2008-1109.diff
@@ -0,0 +1,62 @@
+Index: calendar/gui/itip-utils.c
+===================================================================
+--- calendar/gui/itip-utils.c (revision 35555)
++++ calendar/gui/itip-utils.c (working copy)
+@@ -172,50 +172,16 @@ get_attendee_if_attendee_sentby_is_user
+ }
+
+ static char *
+-html_new_lines_for (char *string)
++html_new_lines_for (const char *string)
+ {
+- char *html_string = (char *) malloc (sizeof (char)* (3500));
+- int length = strlen (string);
+- int index = 0;
+- char *index_ptr = string;
+- char *temp = string;
++ gchar **lines;
++ gchar *joined;
+
+- /*Find the first occurence*/
+- index_ptr = strstr ((const char *)temp, "\n");
++ lines = g_strsplit_set (string, "\n", -1);
++ joined = g_strjoinv ("
", lines);
++ g_strfreev (lines);
+
+- /*Doesn't occur*/
+- if (index_ptr == NULL) {
+- strcpy (html_string, (const char *)string);
+- html_string[length] = '\0';
+- return html_string;
+- }
+-
+- /*Split into chunks inserting
for \n */
+- do{
+- while (temp != index_ptr){
+- html_string[index++] = *temp;
+- temp++;
+- }
+- temp++;
+-
+- html_string[index++] = '<';
+- html_string[index++] = 'b';
+- html_string[index++] = 'r';
+- html_string[index++] = '>';
+-
+- index_ptr = strstr ((const char *)temp, "\n");
+-
+- } while (index_ptr);
+-
+- /*Don't leave out the last chunk*/
+- while (*temp != '\0'){
+- html_string[index++] = *temp;
+- temp++;
+- }
+-
+- html_string[index] = '\0';
+-
+- return html_string;
++ return joined;
+ }
+
+ char *
diff --git a/evolution.changes b/evolution.changes
index d9660fd..d853786 100644
--- a/evolution.changes
+++ b/evolution.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jun 2 10:43:43 CEST 2008 - abharath@suse.de
+- Added
+ - bnc#394641 - VUL-0: evolution buffer overflows
+ Patches Added:
+ bug-394641_evo-CVE-2008-1108.diff
+ bug-394641_evo-CVE-2008-1109.diff
+ - bnc#395708 - bgo-395708_prefer-plain.patch - Outlook meeting invites look as text messages
+ - bnc#394441 - bnc-394441-exchange-addbook-crash.diff - Addressbook crash
+
-------------------------------------------------------------------
Wed May 21 21:27:53 IST 2008 - msuman@suse.de
diff --git a/evolution.spec b/evolution.spec
index bc28b2c..74885f0 100644
--- a/evolution.spec
+++ b/evolution.spec
@@ -22,7 +22,7 @@ AutoReqProv: on
# BASE_VERSION (as defined in configure.in).
%define evolution_base_version 2.22
Version: 2.22.1.1
-Release: 9
+Release: 14
Summary: The Integrated GNOME Mail, Calendar, and Address Book Suite
#Source: ftp://ftp.gnome.org/pub/gnome/sources/evolution/2.22/%{name}-%{version}.tar.bz2
Source0: %{name}-%{version}.tar.bz2
@@ -58,6 +58,10 @@ Patch13: bgo-531519-print-preview-crash.patch
Patch14: bgo-534012-backup-permission.patch
# PATCH-FIX-UPSTREAM bgo-533820-fix-crash-on-border-clicking-meetings.diff bgo#533820 bnc#391993 pchenthill@suse.de -- Patch is in Upstream now
Patch15: bgo-533820-fix-crash-on-border-clicking-meetings.diff
+Patch16: bnc-394441-exchange-addbook-crash.diff
+Patch17: bgo-395708_prefer-plain.patch
+Patch18: bug-394641_evo-CVE-2008-1108.diff
+Patch19: bug-394641_evo-CVE-2008-1109.diff
Url: http://gnome.org/projects/evolution/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: yelp
@@ -296,6 +300,10 @@ Authors:
%patch13
%patch14
%patch15
+%patch16
+%patch17
+%patch18
+%patch19
%build
autoreconf -f -i
@@ -407,6 +415,14 @@ fi
%{_libdir}/evolution/*/conduits/*.so
%changelog
+* Mon Jun 02 2008 abharath@suse.de
+- Added
+ - bnc#394641 - VUL-0: evolution buffer overflows
+ Patches Added:
+ bug-394641_evo-CVE-2008-1108.diff
+ bug-394641_evo-CVE-2008-1109.diff
+ - bnc#395708 - bgo-395708_prefer-plain.patch - Outlook meeting invites look as text messages
+ - bnc#394441 - bnc-394441-exchange-addbook-crash.diff - Addressbook crash
* Wed May 21 2008 msuman@suse.de
- Added
+ bgo-534012-backup-permission.patch (Sankar P)