diff options
author | Léo Le Bouter <lle-bout@zaclys.net> | 2021-03-11 01:18:35 +0100 |
---|---|---|
committer | Léo Le Bouter <lle-bout@zaclys.net> | 2021-03-11 01:19:40 +0100 |
commit | a2943e36c7c6309e955708552a72d532844576a8 (patch) | |
tree | 0051dbb48e919f265fb933e1a81727046ff9682a /gnu | |
parent | c35f87bb1a300c6bde538eaa927a0f7311fb09a0 (diff) | |
download | guix-a2943e36c7c6309e955708552a72d532844576a8.tar guix-a2943e36c7c6309e955708552a72d532844576a8.tar.gz |
gnu: evolution: Fix CVE-2020-11879.
* gnu/packages/patches/evolution-CVE-2020-11879.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/gnome.scm (evolution): Apply it.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/gnome.scm | 3 | ||||
-rw-r--r-- | gnu/packages/patches/evolution-CVE-2020-11879.patch | 122 |
3 files changed, 125 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index e24cee8ecf..9e20260ec3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -973,6 +973,7 @@ dist_patch_DATA = \ %D%/packages/patches/erlang-man-path.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/evolution-CVE-2020-11879.patch \ %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch \ %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch \ %D%/packages/patches/evolution-data-server-locales.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 1db2de4751..5ee28eec03 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -10711,7 +10711,8 @@ generic enough to work for everyone.") "evolution-" version ".tar.xz")) (sha256 (base32 - "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c")))) + "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c")) + (patches (search-patches "evolution-CVE-2020-11879.patch")))) (build-system cmake-build-system) (arguments `(#:imported-modules (,@%cmake-build-system-modules diff --git a/gnu/packages/patches/evolution-CVE-2020-11879.patch b/gnu/packages/patches/evolution-CVE-2020-11879.patch new file mode 100644 index 0000000000..8c85895aab --- /dev/null +++ b/gnu/packages/patches/evolution-CVE-2020-11879.patch @@ -0,0 +1,122 @@ +From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001 +From: Milan Crha <mcrha@redhat.com> +Date: Wed, 12 Feb 2020 18:59:52 +0100 +Subject: [PATCH] I#784 - Warn about and limit what can be attached using + mailto: URI + +Closes https://gitlab.gnome.org/GNOME/evolution/issues/784 +--- + src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------ + src/e-util/e-system.error.xml | 7 ++++- + 2 files changed, 54 insertions(+), 11 deletions(-) + +diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c +index e4c9ac095e..cd3168d882 100644 +--- a/src/composer/e-msg-composer.c ++++ b/src/composer/e-msg-composer.c +@@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer, + gchar *header, *content, *buf; + gsize nread, nwritten; + const gchar *p; +- gint len, clen; ++ gint len, clen, has_attachments = 0; ++ gboolean has_blacklisted_attachment = FALSE; + + table = e_msg_composer_get_header_table (composer); + view = e_msg_composer_get_attachment_view (composer); +@@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer, + } else if (!g_ascii_strcasecmp (header, "attach") || + !g_ascii_strcasecmp (header, "attachment")) { + EAttachment *attachment; ++ GFile *file; + + camel_url_decode (content); +- if (file_is_blacklisted (content)) +- e_alert_submit ( +- E_ALERT_SINK (e_msg_composer_get_editor (composer)), +- "mail:blacklisted-file", +- content, NULL); + if (g_ascii_strncasecmp (content, "file:", 5) == 0) + attachment = e_attachment_new_for_uri (content); + else + attachment = e_attachment_new_for_path (content); +- e_attachment_store_add_attachment (store, attachment); +- e_attachment_load_async ( +- attachment, (GAsyncReadyCallback) +- e_attachment_load_handle_error, composer); ++ file = e_attachment_ref_file (attachment); ++ if (!file || !g_file_peek_path (file) || ++ !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) || ++ g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) { ++ /* Do nothing, simply ignore the attachment request */ ++ } else { ++ has_attachments++; ++ ++ if (file_is_blacklisted (content)) { ++ has_blacklisted_attachment = TRUE; ++ e_alert_submit ( ++ E_ALERT_SINK (e_msg_composer_get_editor (composer)), ++ "mail:blacklisted-file", ++ content, NULL); ++ } ++ ++ e_attachment_store_add_attachment (store, attachment); ++ e_attachment_load_async ( ++ attachment, (GAsyncReadyCallback) ++ e_attachment_load_handle_error, composer); ++ } + g_object_unref (attachment); ++ g_clear_object (&file); + } else if (!g_ascii_strcasecmp (header, "from")) { + /* Ignore */ + } else if (!g_ascii_strcasecmp (header, "reply-to")) { +@@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer, + + g_free (buf); + ++ if (has_attachments && !has_blacklisted_attachment) { ++ const gchar *primary; ++ gchar *secondary; ++ ++ primary = g_dngettext (GETTEXT_PACKAGE, ++ "Review attachment before sending.", ++ "Review attachments before sending.", ++ has_attachments); ++ ++ secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE, ++ "There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.", ++ "There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.", ++ has_attachments), ++ has_attachments); ++ ++ e_alert_submit ( ++ E_ALERT_SINK (e_msg_composer_get_editor (composer)), ++ "system:generic-warning", ++ primary, secondary, NULL); ++ ++ g_free (secondary); ++ } ++ + merge_always_cc_and_bcc (table, to, &cc, &bcc); + + tov = destination_list_to_vector (to); +diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml +index ddcf989fda..02facb7d26 100644 +--- a/src/e-util/e-system.error.xml ++++ b/src/e-util/e-system.error.xml +@@ -1,6 +1,11 @@ + <?xml version="1.0"?> + <error-list domain="system"> +- <error type="error" id="generic-error"> ++ <error id="generic-error" type="error"> ++ <primary>{0}</primary> ++ <secondary>{1}</secondary> ++ </error> ++ ++ <error id="generic-warning" type="warning"> + <primary>{0}</primary> + <secondary>{1}</secondary> + </error> +-- +GitLab + |