[notmuch/f16] cve-2011-1103

Karel Klíč kklic at fedoraproject.org
Wed Mar 7 16:28:47 UTC 2012 

commit a55d9ee1cb6fc3aedd8ddc41de60e86adefa93dd
Author: Karel Klic <kklic at redhat.com>
Date:   Wed Mar 7 17:29:17 2012 +0100

    cve-2011-1103

 notmuch-cve-2011-1103.patch |   17 +++++++++++++++++
 notmuch.spec                |    7 ++++++-
 2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/notmuch-cve-2011-1103.patch b/notmuch-cve-2011-1103.patch
new file mode 100644
index 0000000..58ac8dd
--- /dev/null
+++ b/notmuch-cve-2011-1103.patch
@@ -0,0 +1,17 @@
+diff -up notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103 notmuch-0.6.1/emacs/notmuch-mua.el
+--- notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103	2011-07-17 16:20:51.000000000 +0200
++++ notmuch-0.6.1/emacs/notmuch-mua.el	2012-03-07 17:26:19.174712427 +0100
+@@ -109,7 +109,12 @@ list."
+     (insert body))
+   (set-buffer-modified-p nil)
+ 
+-  (message-goto-body))
++  (message-goto-body)
++  ;; Original message may contain (malicious) MML tags.  We must
++  ;; properly quote them in the reply.  Note that using `point-max'
++  ;; instead of `mark' here is wrong.  The buffer may include user's
++  ;; signature which should not be MML-quoted.
++  (mml-quote-region (point) (point-max)))
+ 
+ (defun notmuch-mua-forward-message ()
+   (message-forward)
diff --git a/notmuch.spec b/notmuch.spec
index cd46d7a..421118c 100644
--- a/notmuch.spec
+++ b/notmuch.spec
@@ -1,12 +1,13 @@
 Name: notmuch
 Version: 0.6.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System for indexing, searching, and tagging email
 Group: Applications/Internet
 License: GPLv3+
 URL: http://notmuchmail.org/
 Source0: http://notmuchmail.org/releases/notmuch-%{version}.tar.gz
 Patch0: notmuch-0.6.1-gmime.patch
+Patch1: notmuch-cve-2011-1103.patch
 BuildRequires: xapian-core-devel
 BuildRequires: gmime-devel
 BuildRequires: libtalloc-devel
@@ -61,6 +62,7 @@ Requires: emacs-notmuch = %{version}-%{release}
 %prep
 %setup -q
 %patch0 -p1 -b .gmime
+%patch1 -p1 -b .cve-2011-1103
 
 %build
 # The %%configure macro cannot be used because notmuch doesn't support
@@ -100,6 +102,9 @@ find %{buildroot}%{_libdir} -name *.so* -exec chmod 755 {} \;
 %{_emacs_sitelispdir}/*.el
 
 %changelog
+* Wed Mar  7 2012 Karel Klíč <kklic at redhat.com> - 0.6.1-2
+- Added patch for CVE-2011-1103: tag information disclosure flaw
+
 * Thu Jul 28 2011 Karel Klíč <kklic at redhat.com> - 0.6.1-1
 - Latest upstream release
 - Added -gmime patch to compile with GMime 2.5.x (upstream uses GMime 2.4.x)

More information about the scm-commits mailing list