summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMart Raudsepp <leio@gentoo.org>2020-04-17 21:20:52 +0300
committerMart Raudsepp <leio@gentoo.org>2020-04-17 21:21:09 +0300
commit38193445919ae80cf0e16c18bf96a254dc49117c (patch)
treebe268ac58c85e9b270d246c2e7098e86b50ab684
parentnet-misc/openssh-8.2_p1-r6: Fix libressl patch for openssl-1.1 (diff)
downloadgentoo-38193445919ae80cf0e16c18bf96a254dc49117c.tar.gz
gentoo-38193445919ae80cf0e16c18bf96a254dc49117c.tar.bz2
gentoo-38193445919ae80cf0e16c18bf96a254dc49117c.zip
mail-client/evolution: Fix CVE-2020-11879
Bug: https://bugs.gentoo.org/717932 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org>
-rw-r--r--mail-client/evolution/evolution-3.34.4-r1.ebuild155
-rw-r--r--mail-client/evolution/files/3.34.4-CVE-2020-11879.patch122
2 files changed, 277 insertions, 0 deletions
diff --git a/mail-client/evolution/evolution-3.34.4-r1.ebuild b/mail-client/evolution/evolution-3.34.4-r1.ebuild
new file mode 100644
index 00000000000..fb45ae68495
--- /dev/null
+++ b/mail-client/evolution/evolution-3.34.4-r1.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit cmake-utils gnome2 flag-o-matic readme.gentoo-r1
+
+DESCRIPTION="Integrated mail, addressbook and calendaring functionality"
+HOMEPAGE="https://wiki.gnome.org/Apps/Evolution"
+
+# Note: explicitly "|| ( LGPL-2 LGPL-3 )", not "LGPL-2+".
+LICENSE="|| ( LGPL-2 LGPL-3 ) CC-BY-SA-3.0 FDL-1.3+ OPENLDAP"
+SLOT="2.0"
+
+IUSE="archive +bogofilter geolocation gtk-doc highlight ldap spamassassin spell ssl +weather ytnef"
+
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
+
+# glade-3 support is for maintainers only per configure.ac
+# pst is not mature enough and changes API/ABI frequently
+# dconf explicitely needed for backup plugin
+# gnome-desktop support is optional with --enable-gnome-desktop
+# automagic libunity dep
+# >=webkit-gtk-2.26.4-r1 and >=gspell-1.8 to ensure all use enchant:2
+# TODO: Adjust webkit-gtk dep to actually be that once it's keyworded for needed arches
+COMMON_DEPEND="
+ >=app-crypt/gcr-3.4:=[gtk]
+ >=app-text/enchant-2.2.0:2
+ >=dev-libs/glib-2.46:2[dbus]
+ >=dev-libs/libxml2-2.7.3:2
+ >=gnome-base/gnome-desktop-2.91.3:3=
+ >=gnome-base/gsettings-desktop-schemas-2.91.92
+ >=gnome-extra/evolution-data-server-${PV}:=[gtk,weather?]
+ >=media-libs/libcanberra-0.25[gtk3]
+ >=net-libs/libsoup-2.42:2.4
+ >=net-libs/webkit-gtk-2.16.0:4
+ >=x11-libs/cairo-1.9.15:=[glib]
+ >=x11-libs/gdk-pixbuf-2.24:2
+ >=x11-libs/gtk+-3.22:3
+ >=x11-libs/libnotify-0.7:=
+ >=x11-misc/shared-mime-info-0.22
+
+ >=app-text/iso-codes-0.49
+ dev-libs/atk
+ gnome-base/dconf
+ x11-libs/libSM
+ x11-libs/libICE
+
+ archive? ( >=app-arch/gnome-autoar-0.1.1[gtk] )
+ bogofilter? ( mail-filter/bogofilter )
+ geolocation? (
+ >=media-libs/libchamplain-0.12:0.12[gtk]
+ >=media-libs/clutter-1.0.0:1.0
+ >=media-libs/clutter-gtk-0.90:1.0
+ >=sci-geosciences/geocode-glib-3.10.0
+ x11-libs/mx:1.0 )
+ ldap? ( >=net-nds/openldap-2:= )
+ spamassassin? ( mail-filter/spamassassin )
+ spell? ( >=app-text/gspell-1.8:= )
+ ssl? (
+ >=dev-libs/nspr-4.6.1:=
+ >=dev-libs/nss-3.11:= )
+ weather? ( >=dev-libs/libgweather-3.10:2= )
+ ytnef? ( net-mail/ytnef )
+"
+DEPEND="${COMMON_DEPEND}
+ app-text/docbook-xml-dtd:4.1.2
+ dev-util/gdbus-codegen
+ dev-util/glib-utils
+ dev-util/itstool
+ gtk-doc? ( dev-util/gtk-doc
+ app-text/docbook-xml-dtd:4.3 )
+ >=dev-util/intltool-0.40.0
+ >=sys-devel/gettext-0.18.3
+ virtual/pkgconfig
+"
+RDEPEND="${COMMON_DEPEND}
+ highlight? ( app-text/highlight )
+ !gnome-extra/evolution-exchange
+"
+
+DISABLE_AUTOFORMATTING="yes"
+DOC_CONTENTS="To change the default browser if you are not using GNOME, edit
+~/.local/share/applications/mimeapps.list so it includes the
+following content:
+
+[Default Applications]
+x-scheme-handler/http=firefox.desktop
+x-scheme-handler/https=firefox.desktop
+
+(replace firefox.desktop with the name of the appropriate .desktop
+file from /usr/share/applications if you use a different browser)."
+
+# global scope PATCHES or DOCS array mustn't be used due to double default_src_prepare
+# call; if needed, set them after cmake-utils_src_prepare call, if that works
+
+src_prepare() {
+ cmake-utils_src_prepare
+ eapply "${FILESDIR}"/${PV}-CVE-2020-11879.patch
+ gnome2_src_prepare
+}
+
+src_configure() {
+ # Use NSS/NSPR only if 'ssl' is enabled.
+ local mycmakeargs=(
+ -DSYSCONF_INSTALL_DIR="${EPREFIX}"/etc
+ -DENABLE_SCHEMAS_COMPILE=OFF
+ -DENABLE_GTK_DOC=$(usex gtk-doc)
+ -DWITH_OPENLDAP=$(usex ldap)
+ -DENABLE_SMIME=$(usex ssl)
+ -DENABLE_GNOME_DESKTOP=ON
+ -DWITH_ENCHANT_VERSION=2
+ -DENABLE_CANBERRA=ON
+ -DENABLE_AUTOAR=$(usex archive)
+ -DWITH_HELP=ON
+ -DENABLE_YTNEF=OFF
+ -DWITH_BOGOFILTER=$(usex bogofilter)
+ -DWITH_SPAMASSASSIN=$(usex spamassassin)
+ -DENABLE_GSPELL=$(usex spell)
+ -DENABLE_TEXT_HIGHLIGHT=$(usex highlight)
+ -DENABLE_WEATHER=$(usex weather)
+ -DENABLE_CONTACT_MAPS=$(usex geolocation)
+ -DENABLE_YTNEF=$(usex ytnef)
+ -DENABLE_PST_IMPORT=OFF
+ -DWITH_GLADE_CATALOG=OFF
+ )
+
+ cmake-utils_src_configure
+}
+
+src_compile() {
+ cmake-utils_src_compile
+}
+
+src_test() {
+ cmake-utils_src_test
+}
+
+src_install() {
+ cmake-utils_src_install
+
+ # Problems with prelink:
+ # https://bugzilla.gnome.org/show_bug.cgi?id=731680
+ # https://bugzilla.gnome.org/show_bug.cgi?id=732148
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1114538
+ echo PRELINK_PATH_MASK=/usr/bin/evolution > ${T}/99${PN}
+ doenvd "${T}"/99${PN}
+
+ readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+ gnome2_pkg_postinst
+ readme.gentoo_print_elog
+}
diff --git a/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch b/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch
new file mode 100644
index 00000000000..8415f3a2617
--- /dev/null
+++ b/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch
@@ -0,0 +1,122 @@
+From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Wed, 12 Feb 2020 18:59:52 +0100
+Subject: [PATCH] I#784 - Warn about and limit what can be attached using
+ mailto: URI
+
+Closes https://gitlab.gnome.org/GNOME/evolution/issues/784
+---
+ src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------
+ src/e-util/e-system.error.xml | 7 ++++-
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c
+index e4c9ac095e..cd3168d882 100644
+--- a/src/composer/e-msg-composer.c
++++ b/src/composer/e-msg-composer.c
+@@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer,
+ gchar *header, *content, *buf;
+ gsize nread, nwritten;
+ const gchar *p;
+- gint len, clen;
++ gint len, clen, has_attachments = 0;
++ gboolean has_blacklisted_attachment = FALSE;
+
+ table = e_msg_composer_get_header_table (composer);
+ view = e_msg_composer_get_attachment_view (composer);
+@@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer,
+ } else if (!g_ascii_strcasecmp (header, "attach") ||
+ !g_ascii_strcasecmp (header, "attachment")) {
+ EAttachment *attachment;
++ GFile *file;
+
+ camel_url_decode (content);
+- if (file_is_blacklisted (content))
+- e_alert_submit (
+- E_ALERT_SINK (e_msg_composer_get_editor (composer)),
+- "mail:blacklisted-file",
+- content, NULL);
+ if (g_ascii_strncasecmp (content, "file:", 5) == 0)
+ attachment = e_attachment_new_for_uri (content);
+ else
+ attachment = e_attachment_new_for_path (content);
+- e_attachment_store_add_attachment (store, attachment);
+- e_attachment_load_async (
+- attachment, (GAsyncReadyCallback)
+- e_attachment_load_handle_error, composer);
++ file = e_attachment_ref_file (attachment);
++ if (!file || !g_file_peek_path (file) ||
++ !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) ||
++ g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) {
++ /* Do nothing, simply ignore the attachment request */
++ } else {
++ has_attachments++;
++
++ if (file_is_blacklisted (content)) {
++ has_blacklisted_attachment = TRUE;
++ e_alert_submit (
++ E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++ "mail:blacklisted-file",
++ content, NULL);
++ }
++
++ e_attachment_store_add_attachment (store, attachment);
++ e_attachment_load_async (
++ attachment, (GAsyncReadyCallback)
++ e_attachment_load_handle_error, composer);
++ }
+ g_object_unref (attachment);
++ g_clear_object (&file);
+ } else if (!g_ascii_strcasecmp (header, "from")) {
+ /* Ignore */
+ } else if (!g_ascii_strcasecmp (header, "reply-to")) {
+@@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer,
+
+ g_free (buf);
+
++ if (has_attachments && !has_blacklisted_attachment) {
++ const gchar *primary;
++ gchar *secondary;
++
++ primary = g_dngettext (GETTEXT_PACKAGE,
++ "Review attachment before sending.",
++ "Review attachments before sending.",
++ has_attachments);
++
++ secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE,
++ "There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.",
++ "There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.",
++ has_attachments),
++ has_attachments);
++
++ e_alert_submit (
++ E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++ "system:generic-warning",
++ primary, secondary, NULL);
++
++ g_free (secondary);
++ }
++
+ merge_always_cc_and_bcc (table, to, &cc, &bcc);
+
+ tov = destination_list_to_vector (to);
+diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml
+index ddcf989fda..02facb7d26 100644
+--- a/src/e-util/e-system.error.xml
++++ b/src/e-util/e-system.error.xml
+@@ -1,6 +1,11 @@
+ <?xml version="1.0"?>
+ <error-list domain="system">
+- <error type="error" id="generic-error">
++ <error id="generic-error" type="error">
++ <primary>{0}</primary>
++ <secondary>{1}</secondary>
++ </error>
++
++ <error id="generic-warning" type="warning">
+ <primary>{0}</primary>
+ <secondary>{1}</secondary>
+ </error>
+--
+2.24.1
+