[notmuch/f16] cve-2011-1103
Karel Klíč
kklic at fedoraproject.org
Wed Mar 7 16:28:47 UTC 2012
commit a55d9ee1cb6fc3aedd8ddc41de60e86adefa93dd
Author: Karel Klic <kklic at redhat.com>
Date: Wed Mar 7 17:29:17 2012 +0100
cve-2011-1103
notmuch-cve-2011-1103.patch | 17 +++++++++++++++++
notmuch.spec | 7 ++++++-
2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/notmuch-cve-2011-1103.patch b/notmuch-cve-2011-1103.patch
new file mode 100644
index 0000000..58ac8dd
--- /dev/null
+++ b/notmuch-cve-2011-1103.patch
@@ -0,0 +1,17 @@
+diff -up notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103 notmuch-0.6.1/emacs/notmuch-mua.el
+--- notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103 2011-07-17 16:20:51.000000000 +0200
++++ notmuch-0.6.1/emacs/notmuch-mua.el 2012-03-07 17:26:19.174712427 +0100
+@@ -109,7 +109,12 @@ list."
+ (insert body))
+ (set-buffer-modified-p nil)
+
+- (message-goto-body))
++ (message-goto-body)
++ ;; Original message may contain (malicious) MML tags. We must
++ ;; properly quote them in the reply. Note that using `point-max'
++ ;; instead of `mark' here is wrong. The buffer may include user's
++ ;; signature which should not be MML-quoted.
++ (mml-quote-region (point) (point-max)))
+
+ (defun notmuch-mua-forward-message ()
+ (message-forward)
diff --git a/notmuch.spec b/notmuch.spec
index cd46d7a..421118c 100644
--- a/notmuch.spec
+++ b/notmuch.spec
@@ -1,12 +1,13 @@
Name: notmuch
Version: 0.6.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: System for indexing, searching, and tagging email
Group: Applications/Internet
License: GPLv3+
URL: http://notmuchmail.org/
Source0: http://notmuchmail.org/releases/notmuch-%{version}.tar.gz
Patch0: notmuch-0.6.1-gmime.patch
+Patch1: notmuch-cve-2011-1103.patch
BuildRequires: xapian-core-devel
BuildRequires: gmime-devel
BuildRequires: libtalloc-devel
@@ -61,6 +62,7 @@ Requires: emacs-notmuch = %{version}-%{release}
%prep
%setup -q
%patch0 -p1 -b .gmime
+%patch1 -p1 -b .cve-2011-1103
%build
# The %%configure macro cannot be used because notmuch doesn't support
@@ -100,6 +102,9 @@ find %{buildroot}%{_libdir} -name *.so* -exec chmod 755 {} \;
%{_emacs_sitelispdir}/*.el
%changelog
+* Wed Mar 7 2012 Karel Klíč <kklic at redhat.com> - 0.6.1-2
+- Added patch for CVE-2011-1103: tag information disclosure flaw
+
* Thu Jul 28 2011 Karel Klíč <kklic at redhat.com> - 0.6.1-1
- Latest upstream release
- Added -gmime patch to compile with GMime 2.5.x (upstream uses GMime 2.4.x)
More information about the scm-commits
mailing list