From 38193445919ae80cf0e16c18bf96a254dc49117c Mon Sep 17 00:00:00 2001
From: Mart Raudsepp <leio@gentoo.org>
Date: Fri, 17 Apr 2020 21:20:52 +0300
Subject: mail-client/evolution: Fix CVE-2020-11879

Bug: https://bugs.gentoo.org/717932
Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Mart Raudsepp <leio@gentoo.org>
---
 mail-client/evolution/evolution-3.34.4-r1.ebuild   | 155 +++++++++++++++++++++
 .../evolution/files/3.34.4-CVE-2020-11879.patch    | 122 ++++++++++++++++
 2 files changed, 277 insertions(+)
 create mode 100644 mail-client/evolution/evolution-3.34.4-r1.ebuild
 create mode 100644 mail-client/evolution/files/3.34.4-CVE-2020-11879.patch

diff --git a/mail-client/evolution/evolution-3.34.4-r1.ebuild b/mail-client/evolution/evolution-3.34.4-r1.ebuild
new file mode 100644
index 000000000000..fb45ae684955
--- /dev/null
+++ b/mail-client/evolution/evolution-3.34.4-r1.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit cmake-utils gnome2 flag-o-matic readme.gentoo-r1
+
+DESCRIPTION="Integrated mail, addressbook and calendaring functionality"
+HOMEPAGE="https://wiki.gnome.org/Apps/Evolution"
+
+# Note: explicitly "|| ( LGPL-2 LGPL-3 )", not "LGPL-2+".
+LICENSE="|| ( LGPL-2 LGPL-3 ) CC-BY-SA-3.0 FDL-1.3+ OPENLDAP"
+SLOT="2.0"
+
+IUSE="archive +bogofilter geolocation gtk-doc highlight ldap spamassassin spell ssl +weather ytnef"
+
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
+
+# glade-3 support is for maintainers only per configure.ac
+# pst is not mature enough and changes API/ABI frequently
+# dconf explicitely needed for backup plugin
+# gnome-desktop support is optional with --enable-gnome-desktop
+# automagic libunity dep
+# >=webkit-gtk-2.26.4-r1 and >=gspell-1.8 to ensure all use enchant:2
+# TODO: Adjust webkit-gtk dep to actually be that once it's keyworded for needed arches
+COMMON_DEPEND="
+	>=app-crypt/gcr-3.4:=[gtk]
+	>=app-text/enchant-2.2.0:2
+	>=dev-libs/glib-2.46:2[dbus]
+	>=dev-libs/libxml2-2.7.3:2
+	>=gnome-base/gnome-desktop-2.91.3:3=
+	>=gnome-base/gsettings-desktop-schemas-2.91.92
+	>=gnome-extra/evolution-data-server-${PV}:=[gtk,weather?]
+	>=media-libs/libcanberra-0.25[gtk3]
+	>=net-libs/libsoup-2.42:2.4
+	>=net-libs/webkit-gtk-2.16.0:4
+	>=x11-libs/cairo-1.9.15:=[glib]
+	>=x11-libs/gdk-pixbuf-2.24:2
+	>=x11-libs/gtk+-3.22:3
+	>=x11-libs/libnotify-0.7:=
+	>=x11-misc/shared-mime-info-0.22
+
+	>=app-text/iso-codes-0.49
+	dev-libs/atk
+	gnome-base/dconf
+	x11-libs/libSM
+	x11-libs/libICE
+
+	archive? ( >=app-arch/gnome-autoar-0.1.1[gtk] )
+	bogofilter? ( mail-filter/bogofilter )
+	geolocation? (
+		>=media-libs/libchamplain-0.12:0.12[gtk]
+		>=media-libs/clutter-1.0.0:1.0
+		>=media-libs/clutter-gtk-0.90:1.0
+		>=sci-geosciences/geocode-glib-3.10.0
+		x11-libs/mx:1.0 )
+	ldap? ( >=net-nds/openldap-2:= )
+	spamassassin? ( mail-filter/spamassassin )
+	spell? ( >=app-text/gspell-1.8:= )
+	ssl? (
+		>=dev-libs/nspr-4.6.1:=
+		>=dev-libs/nss-3.11:= )
+	weather? ( >=dev-libs/libgweather-3.10:2= )
+	ytnef? ( net-mail/ytnef )
+"
+DEPEND="${COMMON_DEPEND}
+	app-text/docbook-xml-dtd:4.1.2
+	dev-util/gdbus-codegen
+	dev-util/glib-utils
+	dev-util/itstool
+	gtk-doc? ( dev-util/gtk-doc
+		app-text/docbook-xml-dtd:4.3 )
+	>=dev-util/intltool-0.40.0
+	>=sys-devel/gettext-0.18.3
+	virtual/pkgconfig
+"
+RDEPEND="${COMMON_DEPEND}
+	highlight? ( app-text/highlight )
+	!gnome-extra/evolution-exchange
+"
+
+DISABLE_AUTOFORMATTING="yes"
+DOC_CONTENTS="To change the default browser if you are not using GNOME, edit
+~/.local/share/applications/mimeapps.list so it includes the
+following content:
+
+[Default Applications]
+x-scheme-handler/http=firefox.desktop
+x-scheme-handler/https=firefox.desktop
+
+(replace firefox.desktop with the name of the appropriate .desktop
+file from /usr/share/applications if you use a different browser)."
+
+# global scope PATCHES or DOCS array mustn't be used due to double default_src_prepare
+# call; if needed, set them after cmake-utils_src_prepare call, if that works
+
+src_prepare() {
+	cmake-utils_src_prepare
+	eapply "${FILESDIR}"/${PV}-CVE-2020-11879.patch
+	gnome2_src_prepare
+}
+
+src_configure() {
+	# Use NSS/NSPR only if 'ssl' is enabled.
+	local mycmakeargs=(
+		-DSYSCONF_INSTALL_DIR="${EPREFIX}"/etc
+		-DENABLE_SCHEMAS_COMPILE=OFF
+		-DENABLE_GTK_DOC=$(usex gtk-doc)
+		-DWITH_OPENLDAP=$(usex ldap)
+		-DENABLE_SMIME=$(usex ssl)
+		-DENABLE_GNOME_DESKTOP=ON
+		-DWITH_ENCHANT_VERSION=2
+		-DENABLE_CANBERRA=ON
+		-DENABLE_AUTOAR=$(usex archive)
+		-DWITH_HELP=ON
+		-DENABLE_YTNEF=OFF
+		-DWITH_BOGOFILTER=$(usex bogofilter)
+		-DWITH_SPAMASSASSIN=$(usex spamassassin)
+		-DENABLE_GSPELL=$(usex spell)
+		-DENABLE_TEXT_HIGHLIGHT=$(usex highlight)
+		-DENABLE_WEATHER=$(usex weather)
+		-DENABLE_CONTACT_MAPS=$(usex geolocation)
+		-DENABLE_YTNEF=$(usex ytnef)
+		-DENABLE_PST_IMPORT=OFF
+		-DWITH_GLADE_CATALOG=OFF
+	)
+
+	cmake-utils_src_configure
+}
+
+src_compile() {
+	cmake-utils_src_compile
+}
+
+src_test() {
+	cmake-utils_src_test
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	# Problems with prelink:
+	# https://bugzilla.gnome.org/show_bug.cgi?id=731680
+	# https://bugzilla.gnome.org/show_bug.cgi?id=732148
+	# https://bugzilla.redhat.com/show_bug.cgi?id=1114538
+	echo PRELINK_PATH_MASK=/usr/bin/evolution > ${T}/99${PN}
+	doenvd "${T}"/99${PN}
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	gnome2_pkg_postinst
+	readme.gentoo_print_elog
+}
diff --git a/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch b/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch
new file mode 100644
index 000000000000..8415f3a2617d
--- /dev/null
+++ b/mail-client/evolution/files/3.34.4-CVE-2020-11879.patch
@@ -0,0 +1,122 @@
+From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Wed, 12 Feb 2020 18:59:52 +0100
+Subject: [PATCH] I#784 - Warn about and limit what can be attached using
+ mailto: URI
+
+Closes https://gitlab.gnome.org/GNOME/evolution/issues/784
+---
+ src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------
+ src/e-util/e-system.error.xml |  7 ++++-
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c
+index e4c9ac095e..cd3168d882 100644
+--- a/src/composer/e-msg-composer.c
++++ b/src/composer/e-msg-composer.c
+@@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer,
+ 	gchar *header, *content, *buf;
+ 	gsize nread, nwritten;
+ 	const gchar *p;
+-	gint len, clen;
++	gint len, clen, has_attachments = 0;
++	gboolean has_blacklisted_attachment = FALSE;
+ 
+ 	table = e_msg_composer_get_header_table (composer);
+ 	view = e_msg_composer_get_attachment_view (composer);
+@@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer,
+ 			} else if (!g_ascii_strcasecmp (header, "attach") ||
+ 				   !g_ascii_strcasecmp (header, "attachment")) {
+ 				EAttachment *attachment;
++				GFile *file;
+ 
+ 				camel_url_decode (content);
+-				if (file_is_blacklisted (content))
+-					e_alert_submit (
+-						E_ALERT_SINK (e_msg_composer_get_editor (composer)),
+-						"mail:blacklisted-file",
+-						content, NULL);
+ 				if (g_ascii_strncasecmp (content, "file:", 5) == 0)
+ 					attachment = e_attachment_new_for_uri (content);
+ 				else
+ 					attachment = e_attachment_new_for_path (content);
+-				e_attachment_store_add_attachment (store, attachment);
+-				e_attachment_load_async (
+-					attachment, (GAsyncReadyCallback)
+-					e_attachment_load_handle_error, composer);
++				file = e_attachment_ref_file (attachment);
++				if (!file || !g_file_peek_path (file) ||
++				    !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) ||
++				    g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) {
++					/* Do nothing, simply ignore the attachment request */
++				} else {
++					has_attachments++;
++
++					if (file_is_blacklisted (content)) {
++						has_blacklisted_attachment = TRUE;
++						e_alert_submit (
++							E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++							"mail:blacklisted-file",
++							content, NULL);
++					}
++
++					e_attachment_store_add_attachment (store, attachment);
++					e_attachment_load_async (
++						attachment, (GAsyncReadyCallback)
++						e_attachment_load_handle_error, composer);
++				}
+ 				g_object_unref (attachment);
++				g_clear_object (&file);
+ 			} else if (!g_ascii_strcasecmp (header, "from")) {
+ 				/* Ignore */
+ 			} else if (!g_ascii_strcasecmp (header, "reply-to")) {
+@@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer,
+ 
+ 	g_free (buf);
+ 
++	if (has_attachments && !has_blacklisted_attachment) {
++		const gchar *primary;
++		gchar *secondary;
++
++		primary = g_dngettext (GETTEXT_PACKAGE,
++			"Review attachment before sending.",
++			"Review attachments before sending.",
++			has_attachments);
++
++		secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE,
++			"There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.",
++			"There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.",
++			has_attachments),
++			has_attachments);
++
++		e_alert_submit (
++			E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++			"system:generic-warning",
++			primary, secondary, NULL);
++
++		g_free (secondary);
++	}
++
+ 	merge_always_cc_and_bcc (table, to, &cc, &bcc);
+ 
+ 	tov = destination_list_to_vector (to);
+diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml
+index ddcf989fda..02facb7d26 100644
+--- a/src/e-util/e-system.error.xml
++++ b/src/e-util/e-system.error.xml
+@@ -1,6 +1,11 @@
+ <?xml version="1.0"?>
+ <error-list domain="system">
+-  <error type="error" id="generic-error">
++  <error id="generic-error" type="error">
++    <primary>{0}</primary>
++    <secondary>{1}</secondary>
++  </error>
++
++  <error id="generic-warning" type="warning">
+     <primary>{0}</primary>
+     <secondary>{1}</secondary>
+   </error>
+-- 
+2.24.1
+
-- 
cgit v1.2.3-18-g5258