[notmuch/f15] cve-2011-1103

Karel Klíč kklic at fedoraproject.org
Wed Mar 7 17:00:33 UTC 2012 

commit a43b8a2b396f680f0b1ab53c01e52ba763b357e3
Author: Karel Klic <kklic at redhat.com>
Date:   Wed Mar 7 18:01:03 2012 +0100

    cve-2011-1103

 notmuch-cve-2011-1103.patch |   17 +++++++++++++++++
 notmuch.spec                |    7 ++++++-
 2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/notmuch-cve-2011-1103.patch b/notmuch-cve-2011-1103.patch
new file mode 100644
index 0000000..58ac8dd
--- /dev/null
+++ b/notmuch-cve-2011-1103.patch
@@ -0,0 +1,17 @@
+diff -up notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103 notmuch-0.6.1/emacs/notmuch-mua.el
+--- notmuch-0.6.1/emacs/notmuch-mua.el.cve-2011-1103	2011-07-17 16:20:51.000000000 +0200
++++ notmuch-0.6.1/emacs/notmuch-mua.el	2012-03-07 17:26:19.174712427 +0100
+@@ -109,7 +109,12 @@ list."
+     (insert body))
+   (set-buffer-modified-p nil)
+ 
+-  (message-goto-body))
++  (message-goto-body)
++  ;; Original message may contain (malicious) MML tags.  We must
++  ;; properly quote them in the reply.  Note that using `point-max'
++  ;; instead of `mark' here is wrong.  The buffer may include user's
++  ;; signature which should not be MML-quoted.
++  (mml-quote-region (point) (point-max)))
+ 
+ (defun notmuch-mua-forward-message ()
+   (message-forward)
diff --git a/notmuch.spec b/notmuch.spec
index 58e8bbe..a71d6df 100644
--- a/notmuch.spec
+++ b/notmuch.spec
@@ -1,11 +1,12 @@
 Name: notmuch
 Version: 0.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: System for indexing, searching, and tagging email
 Group: Applications/Internet
 License: GPLv3+
 URL: http://notmuchmail.org/
 Source0: http://notmuchmail.org/releases/notmuch-%{version}.tar.gz
+Patch0: notmuch-cve-2011-1103.patch
 BuildRequires: xapian-core-devel
 BuildRequires: gmime-devel
 BuildRequires: libtalloc-devel
@@ -59,6 +60,7 @@ Requires: emacs-notmuch = %{version}-%{release}
 
 %prep
 %setup -q
+%patch0 -p1 -b .cve-2011-1103
 
 %build
 # The %%configure macro cannot be used because notmuch doesn't support
@@ -103,6 +105,9 @@ find %{buildroot}%{_libdir} -name *.so* -exec chmod 755 {} \;
 %{_emacs_sitelispdir}/*.el
 
 %changelog
+* Wed Mar  7 2012 Karel Klíč <kklic at redhat.com> - 0.5-5
+- Added patch for CVE-2011-1103: tag information disclosure flaw
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.5-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

More information about the scm-commits mailing list