rpms/sylpheed/FC-6 sylpheed-2.3.1-apop-cve-2007-1558.patch, NONE, 1.1 sylpheed-2.3.1-certsdir.patch, NONE, 1.1 .cvsignore, 1.23, 1.24 sources, 1.23, 1.24 sylpheed.spec, 1.42, 1.43

Sat Apr 21 08:33:44 UTC 2007

Author: mschwendt

Update of /cvs/extras/rpms/sylpheed/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16905

Modified Files:
	.cvsignore sources sylpheed.spec 
Added Files:
	sylpheed-2.3.1-apop-cve-2007-1558.patch 
	sylpheed-2.3.1-certsdir.patch 
Log Message:
* Sat Apr 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 2.3.1-1
- Update to 2.3.1 (stable branch).
- Patch APOP vulnerability (CVE-2007-1558) as in 2.4.0.
- Patch default directory for SSL/TLS certificates.


sylpheed-2.3.1-apop-cve-2007-1558.patch:

--- NEW FILE sylpheed-2.3.1-apop-cve-2007-1558.patch ---
diff -urN sylpheed-2.4.0rc/libsylph/pop.c sylpheed-2.4.0/libsylph/pop.c
--- sylpheed-2.4.0rc/libsylph/pop.c	2006-10-30 15:11:12.000000000 +0900
+++ sylpheed-2.4.0/libsylph/pop.c	2007-04-19 13:19:34.000000000 +0900
@@ -166,6 +166,12 @@
 
 	*(end + 1) = '\0';
 
+	if (!is_ascii_str(start) || strchr(start, '@') == NULL) {
+		log_warning(_("Invalid timestamp in greeting\n"));
+		session->error_val = PS_PROTOCOL;
+		return -1;
+	}
+
 	apop_str = g_strconcat(start, session->pass, NULL);
 	md5 = s_gnet_md5_new((guchar *)apop_str, strlen(apop_str));
 	md5sum = s_gnet_md5_get_string(md5);
@@ -707,7 +713,7 @@
 static gint pop3_session_recv_msg(Session *session, const gchar *msg)
 {
 	Pop3Session *pop3_session = POP3_SESSION(session);
-	Pop3ErrorValue val = PS_SUCCESS;
+	gint val = PS_SUCCESS;
 	const gchar *body;
 
 	body = msg;
@@ -732,76 +738,77 @@
 	switch (pop3_session->state) {
 	case POP3_READY:
 	case POP3_GREETING:
-		pop3_greeting_recv(pop3_session, body);
+		val = pop3_greeting_recv(pop3_session, body);
 #if USE_SSL
 		if (pop3_session->ac_prefs->ssl_pop == SSL_STARTTLS)
-			pop3_stls_send(pop3_session);
+			val = pop3_stls_send(pop3_session);
 		else
 #endif
 		if (pop3_session->ac_prefs->use_apop_auth)
-			pop3_getauth_apop_send(pop3_session);
+			val = pop3_getauth_apop_send(pop3_session);
 		else
-			pop3_getauth_user_send(pop3_session);
+			val = pop3_getauth_user_send(pop3_session);
 		break;
 #if USE_SSL
 	case POP3_STLS:
-		if (pop3_stls_recv(pop3_session) != PS_SUCCESS)
+		if ((val = pop3_stls_recv(pop3_session)) != PS_SUCCESS)
 			return -1;
 		if (pop3_session->ac_prefs->use_apop_auth)
-			pop3_getauth_apop_send(pop3_session);
+			val = pop3_getauth_apop_send(pop3_session);
 		else
-			pop3_getauth_user_send(pop3_session);
+			val = pop3_getauth_user_send(pop3_session);
 		break;
 #endif
 	case POP3_GETAUTH_USER:
-		pop3_getauth_pass_send(pop3_session);
+		val = pop3_getauth_pass_send(pop3_session);
 		break;
 	case POP3_GETAUTH_PASS:
 	case POP3_GETAUTH_APOP:
 		if (pop3_session->auth_only)
-			pop3_logout_send(pop3_session);
+			val = pop3_logout_send(pop3_session);
 		else
-			pop3_getrange_stat_send(pop3_session);
+			val = pop3_getrange_stat_send(pop3_session);
 		break;
 	case POP3_GETRANGE_STAT:
-		if (pop3_getrange_stat_recv(pop3_session, body) < 0)
+		if ((val = pop3_getrange_stat_recv(pop3_session, body)) < 0)
 			return -1;
 		if (pop3_session->count > 0)
-			pop3_getrange_uidl_send(pop3_session);
+			val = pop3_getrange_uidl_send(pop3_session);
 		else
-			pop3_logout_send(pop3_session);
+			val = pop3_logout_send(pop3_session);
 		break;
 	case POP3_GETRANGE_LAST:
 		if (val == PS_NOTSUPPORTED)
 			pop3_session->error_val = PS_SUCCESS;
-		else if (pop3_getrange_last_recv(pop3_session, body) < 0)
+		else if ((val = pop3_getrange_last_recv
+				(pop3_session, body)) < 0)
 			return -1;
 		if (pop3_session->cur_msg > 0)
-			pop3_getsize_list_send(pop3_session);
+			val = pop3_getsize_list_send(pop3_session);
 		else
-			pop3_logout_send(pop3_session);
+			val = pop3_logout_send(pop3_session);
 		break;
 	case POP3_GETRANGE_UIDL:
 		if (val == PS_NOTSUPPORTED) {
 			pop3_session->error_val = PS_SUCCESS;
-			pop3_getrange_last_send(pop3_session);
+			val = pop3_getrange_last_send(pop3_session);
 		} else {
 			pop3_session->state = POP3_GETRANGE_UIDL_RECV;
-			session_recv_data(session, 0, ".\r\n");
+			val = session_recv_data(session, 0, ".\r\n");
 		}
 		break;
 	case POP3_GETSIZE_LIST:
 		pop3_session->state = POP3_GETSIZE_LIST_RECV;
-		session_recv_data(session, 0, ".\r\n");
+		val = session_recv_data(session, 0, ".\r\n");
 		break;
 	case POP3_RETR:
 		pop3_session->state = POP3_RETR_RECV;
-		session_recv_data_as_file(session, 0, ".\r\n");
+		val = session_recv_data_as_file(session, 0, ".\r\n");
 		break;
 	case POP3_DELETE:
-		pop3_delete_recv(pop3_session);
+		val = pop3_delete_recv(pop3_session);
 		if (pop3_session->cur_msg == pop3_session->count)
-			pop3_logout_send(pop3_session);
+			val = pop3_logout_send(pop3_session);
 		else {
 			pop3_session->cur_msg++;
 			if (pop3_lookup_next(pop3_session) == POP3_ERROR)
@@ -817,7 +824,10 @@
 		return -1;
 	}
 
-	return 0;
+	if (val == PS_SUCCESS)
+		return 0;
+	else
+		return -1;
 }
 
 static gint pop3_session_recv_data_finished(Session *session, guchar *data,

sylpheed-2.3.1-certsdir.patch:

--- NEW FILE sylpheed-2.3.1-certsdir.patch ---
diff -Nur sylpheed-2.3.1-orig/libsylph/ssl.c sylpheed-2.3.1/libsylph/ssl.c
--- sylpheed-2.3.1-orig/libsylph/ssl.c	2007-01-12 07:21:48.000000000 +0100
+++ sylpheed-2.3.1/libsylph/ssl.c	2007-04-21 10:22:44.000000000 +0200
@@ -81,7 +81,7 @@
 					"etc" G_DIR_SEPARATOR_S
 					"ssl" G_DIR_SEPARATOR_S "certs", NULL);
 #else
-		certs_dir = g_strdup("/etc/ssl/certs");
+		certs_dir = g_strdup("/etc/pki/tls/certs");
 #endif
 		if (!is_dir_exist(certs_dir)) {
 			debug_print("ssl_init(): %s doesn't exist, or not a directory.\n",


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/sylpheed/FC-6/.cvsignore,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- .cvsignore	21 Nov 2006 08:26:26 -0000	1.23
+++ .cvsignore	21 Apr 2007 08:33:10 -0000	1.24
@@ -1,2 +1,2 @@
-sylpheed-2.2.10.tar.bz2
-sylpheed-2.2.10.tar.bz2.asc
+sylpheed-2.3.1.tar.bz2
+sylpheed-2.3.1.tar.bz2.asc


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/sylpheed/FC-6/sources,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- sources	21 Nov 2006 08:26:26 -0000	1.23
+++ sources	21 Apr 2007 08:33:10 -0000	1.24
@@ -1,2 +1,2 @@
-68709cd07d2416c7aaeacf2c6921b1a2  sylpheed-2.2.10.tar.bz2
-ddbaab7d093c35592927a0cd426631ad  sylpheed-2.2.10.tar.bz2.asc
+12fb8622bc76b42a3bd6e734495ec4c3  sylpheed-2.3.1.tar.bz2
+36664cf7117fafb0084bdcec39097102  sylpheed-2.3.1.tar.bz2.asc


Index: sylpheed.spec
===================================================================
RCS file: /cvs/extras/rpms/sylpheed/FC-6/sylpheed.spec,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- sylpheed.spec	21 Nov 2006 08:26:26 -0000	1.42
+++ sylpheed.spec	21 Apr 2007 08:33:10 -0000	1.43
@@ -4,25 +4,27 @@
 
 Summary: GTK+ based, lightweight, and fast email client
 Name: sylpheed
-Version: 2.2.10
-Release: 1%{?dist}.1
+Version: 2.3.1
+Release: 1
 License: GPL
 URL: http://sylpheed.sraoss.jp/
 Group: Applications/Internet
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
-BuildRequires: gtk2-devel >= 2.4, openssl-devel
+BuildRequires: gtk2-devel openssl-devel
 BuildRequires: desktop-file-utils pkgconfig gettext
 %{!?_without_gpgme:BuildRequires: gpgme-devel}
 %{!?_without_compface:BuildRequires: compface-devel}
 %{!?_without_ldap:BuildRequires: openldap-devel}
 %{?_with_jpilot:BuildRequires: jpilot-devel}
 BuildRequires: gtkspell-devel
-Source0: http://sylpheed.sraoss.jp/sylpheed/v2.2/%{name}-%{version}.tar.bz2
+Source0: http://sylpheed.sraoss.jp/sylpheed/v2.3/%{name}-%{version}.tar.bz2
 Source1: sylpheed.1
 
 Patch1: sylpheed-2.2.3-defs.h.patch
 Patch2: sylpheed-2.2.7-desktop.patch
+Patch3: sylpheed-2.3.1-certsdir.patch
 Patch4: sylpheed-2.2.5-prefs_common.patch
+Patch5: sylpheed-2.3.1-apop-cve-2007-1558.patch
 
 %description
 This program is an X based fast email client which has features
@@ -43,7 +45,9 @@
 %setup -q
 %patch1 -p1 -b .defs.h
 %patch2 -p1 -b .desktop
+%patch3 -p1 -b .certsdir
 %patch4 -p1 -b .prefs_common
+%patch5 -p1 -b .apop
 
 %build
 %configure --enable-ssl %{!?_without_gpgme:--enable-gpgme} \
@@ -84,6 +88,11 @@
 %{_mandir}/man1/*
 
 %changelog
+* Sat Apr 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 2.3.1-1
+- Update to 2.3.1 (stable branch).
+- Patch APOP vulnerability (CVE-2007-1558) as in 2.4.0.
+- Patch default directory for SSL/TLS certificates.
+
 * Thu Nov 16 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 2.2.10-1
 - Update to 2.2.10 (recommended bug-fixes only).
 


