Security fix for "Encrypted Message Version Format String Vulnerability". Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86

Package-Manager: portage-2.1.4.4
RepoMan-Options: --force

4 files changed, 247 insertions, 2 deletions

diff --git a/mail-client/evolution/ChangeLog b/mail-client/evolution/ChangeLog
index f76e3033227f..26b3a6021173 100644
--- a/mail-client/evolution/ChangeLog
+++ b/mail-client/evolution/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for mail-client/evolution
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/ChangeLog,v 1.225 2008/02/04 04:09:08 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/ChangeLog,v 1.226 2008/03/05 09:04:29 leio Exp $
+
+*evolution-2.12.3-r1 (05 Mar 2008)
+
+  05 Mar 2008; Mart Raudsepp <leio@gentoo.org>
+  +files/evolution-CVE-2008-0072.patch, +evolution-2.12.3-r1.ebuild:
+  Security fix for "Encrypted Message Version Format String Vulnerability".
+  Stable on alpha, amd64, hppa, ia64, ppc64, sparc and x86
 
   04 Feb 2008; Jeroen Roovers <jer@gentoo.org> evolution-2.12.2.ebuild:
   Stable for HPPA (bug #208366).
diff --git a/mail-client/evolution/Manifest b/mail-client/evolution/Manifest
index c953d0b8c92e..2cd658163b72 100644
--- a/mail-client/evolution/Manifest
+++ b/mail-client/evolution/Manifest
@@ -6,6 +6,7 @@ AUX evolution-2.8.1.1-64-bit.patch 6008 RMD160 3c6b6e652097f939c74431ba63eac6779
 AUX evolution-2.8.2.1-certificate-manager-filtering.patch 3040 RMD160 6e1bc22a4b83982e9405578b9a44223a9c364cfd SHA1 91211a275d79e26adf5510f45fedd3f0d569c945 SHA256 3b496e2ff6a6ba270e1f806b94ce8a910aaa5fbe14291c23a7856784d362e1fa
 AUX evolution-2.9.2-bf-junk.patch.gz 10431 RMD160 26825a37ca603267293a8a063b3499f4c3535376 SHA1 974dbe1870d92cd4ad3d75b682f36a899bcff71b SHA256 f9de9826bd2acfaf79af15e7f41c73289693c1f77c6811f80bce1f6027de1493
 AUX evolution-2.9.91-cal-reply.patch 1679 RMD160 c8bc0e84a77b43a705ad00c7db5b93a1f1dcaabc SHA1 7ddc72ee4f6e55bbec91476713895ddd9c733c2f SHA256 5837a56bf1079f2e703d6cc5316425f583ae4975a977a2ec80684962f1be826f
+AUX evolution-CVE-2008-0072.patch 2890 RMD160 8911d13efd9c86d1b95cd844ebeab695e2e80ab6 SHA1 f040da832c681efe7ac85c281ec54f3b991ff6bf SHA256 28a7cda8c1a3aab284d69a7142e74fc345f7130627e180b6de0ae8389e8adbc1
 DIST evolution-2.10.3.tar.bz2 26041499 RMD160 f3355a880c010975b1f1c1aa8221abc72bf54788 SHA1 dd6335ef7bf72745ff8f43f012093e89e9a5c35a SHA256 8a26b982a6af83ffa72a33e8d9b890c278d28a86765098006c65060eb021a16f
 DIST evolution-2.12.1.tar.bz2 25905418 RMD160 43af1228e6dadf38be3aeb68e80a7f48c307ba22 SHA1 d867983300523449cc3e026f72bf2e2a4c6f6bcf SHA256 8d75c95a4419ecd0b46cddb7a7481fa4f23997f258084ed74f9f3fb9f7c36959
 DIST evolution-2.12.2.tar.bz2 25937130 RMD160 98b1ba5e1c942cff7f3befbc2cc73328c5aeaad2 SHA1 7096fa54cfd61a8cf1902a711a0c1191e314d511 SHA256 3a672e74fcccca0a3706647de40227858f34a66903c14c16877eab06e6d74cdf
@@ -14,6 +15,7 @@ DIST evolution-2.5.5.1-bf-junk.tar.bz2 10771 RMD160 7ae764761607d50024fbec32680b
 EBUILD evolution-2.10.3.ebuild 6992 RMD160 a23badb418f942cbbca00e47fa340bbe8c545e99 SHA1 d4efc5afb0268ee60d22f18272284b3a196dd167 SHA256 3097421062d4b0f4fa4813d3f7bf861efe9dccd5ee3e3cd7dd30d2ad3028f567
 EBUILD evolution-2.12.1.ebuild 5792 RMD160 2ba4c07e59ad5a778230c163881ee29f93649578 SHA1 38edd0331bc32bd1ba24cbac3524adf303ab7710 SHA256 96117b1097675953bbf610c1feec0f2108284d742969acf2dcb206ea19d0b053
 EBUILD evolution-2.12.2.ebuild 5801 RMD160 06ac19e3f7c28bce5b7719d4e50eb0525b4d1463 SHA1 705406e4cf010c61542ab741098961c211ec5cf9 SHA256 acc4344657f2f0b6cf0f7b9d058e0f619d7f30ad23cfbb3391a7a348fe478735
+EBUILD evolution-2.12.3-r1.ebuild 5875 RMD160 3b358c59e8873b29304304ed1b4ba2af7121e3dc SHA1 8b3d1c0ac9bf5a785b5d3d28f58be5ad1c08d60f SHA256 2f55f6fb4646e147bf26c93b2ca36b72d10c2e0b7abe5cba0ba05d2e20ca1c63
 EBUILD evolution-2.12.3.ebuild 5808 RMD160 70091aba62ed45796569bb286a444fd5c7ff8be4 SHA1 df4a9a6bc920313a01a4ba6e1b8869572ee5647a SHA256 9dabc851c10b1252bdc145dbe6126e031a1ceefc2e3e0ca202f60402ab1b7829
-MISC ChangeLog 52023 RMD160 6eb6be1eafe6bac05e77e7e2e6e7854c34f3a766 SHA1 954edcdebfcc8bfeb9aa13b91d3552a6bbf2dcb6 SHA256 662931d013a4035e4055742179f031518baf60697b425c56aac06c6cdb1c5da7
+MISC ChangeLog 52312 RMD160 2d9a5668a97d186d82bb24bfd976778241d881b4 SHA1 cbd225f38ed553d9386ea051b036a10ab6ffc756 SHA256 0093a26984a566f07abc3903d2c6f1e9ef2f4888cdf300303460585efcfae258
 MISC metadata.xml 159 RMD160 488f58f504e5c2e7b10e253fd9db5f1e6f9d3a21 SHA1 16c86b590ee3d78c8ccd5b5044835ed4a4038d93 SHA256 b1ccd57b80d8d6ee7a9924844efd69830edfb744ab818d67e50a008b5aae7d4b
diff --git a/mail-client/evolution/evolution-2.12.3-r1.ebuild b/mail-client/evolution/evolution-2.12.3-r1.ebuild
new file mode 100644
index 000000000000..4b428818adea
--- /dev/null
+++ b/mail-client/evolution/evolution-2.12.3-r1.ebuild
@@ -0,0 +1,175 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-client/evolution/evolution-2.12.3-r1.ebuild,v 1.1 2008/03/05 09:04:29 leio Exp $
+EAPI="1"
+
+inherit gnome2 flag-o-matic
+
+DESCRIPTION="Integrated mail, addressbook and calendaring functionality"
+HOMEPAGE="http://www.gnome.org/projects/evolution/"
+SRC_URI="${SRC_URI}"
+
+LICENSE="GPL-2 FDL-1.1"
+SLOT="2.0"
+KEYWORDS="alpha amd64 hppa ia64 ~ppc ppc64 sparc x86 ~x86-fbsd"
+# gstreamer for audio-inline, when it uses 0.10
+IUSE="crypt dbus debug doc hal ipv6 kerberos krb4 ldap mono networkmanager nntp pda profile spell ssl"
+
+# Pango dependency required to avoid font rendering problems
+RDEPEND="
+	>=x11-libs/gtk+-2.10
+	>=gnome-extra/evolution-data-server-1.11.90
+	>=x11-themes/gnome-icon-theme-1.2
+	>=gnome-base/gnome-vfs-2.4
+	>=gnome-base/libbonoboui-2.4.2
+	>=gnome-base/libbonobo-2.16
+	>=gnome-extra/gtkhtml-3.16
+	>=gnome-base/gconf-2
+	>=gnome-base/libglade-2
+	>=gnome-base/libgnomecanvas-2
+	>=gnome-base/libgnomeui-2
+	>=dev-libs/libxml2-2
+	dbus? ( dev-libs/dbus-glib )
+	hal? ( >=sys-apps/hal-0.5.4 )
+	x11-libs/libnotify
+	pda? (
+		>=app-pda/gnome-pilot-2.0.15
+		>=app-pda/gnome-pilot-conduits-2 )
+	dev-libs/atk
+	ssl? (
+		>=dev-libs/nspr-4.6.1
+		>=dev-libs/nss-3.11 )
+	networkmanager? ( net-misc/networkmanager )
+	>=net-libs/libsoup-2.2.96:2.2
+	kerberos? ( virtual/krb5 )
+	krb4? ( virtual/krb5 )
+	>=dev-libs/glib-2.10
+	>=gnome-base/orbit-2.9.8
+	spell? ( >=app-text/gnome-spell-1.0.5 )
+	crypt? ( || ( >=app-crypt/gnupg-2.0.1-r2 =app-crypt/gnupg-1.4* ) )
+	ldap? ( >=net-nds/openldap-2 )
+	mono? ( >=dev-lang/mono-1 )"
+#	gstreamer? (
+#		>=media-libs/gstreamer-0.10
+#		>=media-libs/gst-plugins-base-0.10 )
+
+DEPEND="${RDEPEND}
+	>=dev-util/pkgconfig-0.16
+	>=dev-util/intltool-0.35.5
+	sys-devel/gettext
+	sys-devel/bison
+	app-text/scrollkeeper
+	>=gnome-base/gnome-common-2.12.0
+	>=app-text/gnome-doc-utils-0.9.1
+	doc? ( >=dev-util/gtk-doc-0.6 )"
+
+DOCS="AUTHORS ChangeLog* HACKING MAINTAINERS NEWS* README"
+ELTCONF="--reverse-deps"
+
+pkg_setup() {
+	G2CONF="--without-kde-applnk-path        \
+		--enable-plugins=experimental    \
+		$(use_enable ssl nss)            \
+		$(use_enable ssl smime)          \
+		$(use_enable ipv6)               \
+		$(use_enable mono)               \
+		$(use_enable nntp)               \
+		$(use_enable pda pilot-conduits) \
+		$(use_enable profile profiling)  \
+		$(use_with ldap openldap)        \
+		$(use_with kerberos krb5 /usr)"
+
+	# We need a graphical pinentry frontend to be able to ask for the GPG
+	# password from inside evolution, bug 160302
+	if use crypt && has_version '>=app-crypt/gnupg-2.0.1-r2'; then
+		if ! built_with_use -o app-crypt/pinentry gtk qt3; then
+			die "You must build app-crypt/pinentry with GTK or QT3 support"
+		fi
+	fi
+
+	if use krb4 && ! built_with_use virtual/krb5 krb4; then
+		ewarn
+		ewarn "In order to add kerberos 4 support, you have to emerge"
+		ewarn "virtual/krb5 with the 'krb4' USE flag enabled as well."
+		ewarn
+		ewarn "Skipping for now."
+		ewarn
+		G2CONF="${G2CONF} --without-krb4"
+	else
+		G2CONF="${G2CONF} $(use_with krb4 krb4 /usr)"
+	fi
+
+	# dang - I've changed this to do --enable-plugins=experimental.  This will autodetect
+	# new-mail-notify and exchange, but that cannot be helped for the moment.
+	# They should be changed to depend on a --enable-<foo> like mono is.  This
+	# cleans up a ton of crap from this ebuild.
+}
+
+src_unpack() {
+	gnome2_src_unpack
+
+	# Mail-remote doesn't build
+	epatch "${FILESDIR}"/${PN}-2.12.1-mail-remote-broken.patch
+
+	# Fix timezone offsets on fbsd.  bug #183708
+	epatch "${FILESDIR}"/${PN}-2.10.2-fbsd.patch
+
+	# Fix CVE-2008-0072
+	epatch "${FILESDIR}"/${PN}-CVE-2008-0072.patch
+
+	# Fix tests (again)
+	echo "evolution-addressbook.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-calendar.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-composer-entries.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-event-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-global.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-list.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-message.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-mail-messagedisplay.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-memo-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-memos.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-message-composer.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-signature-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-subscribe.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-task-editor.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution-tasks.xml" >> "${S}"/po/POTFILES.in
+	echo "evolution.xml" >> "${S}"/po/POTFILES.in
+}
+
+src_compile() {
+	# Use NSS/NSPR only if 'ssl' is enabled.
+	if use ssl ; then
+		sed -i -e "s|mozilla-nss|nss|
+			s|mozilla-nspr|nspr|" "${S}"/configure
+		G2CONF="${G2CONF} --enable-nss=yes"
+	else
+		G2CONF="${G2CONF} --without-nspr-libs --without-nspr-includes \
+			--without-nss-libs --without-nss-includes"
+	fi
+
+	# problems with -O3 on gcc-3.3.1
+	replace-flags -O3 -O2
+
+	if [ "${ARCH}" = "hppa" ]; then
+		append-flags "-fPIC -ffunction-sections"
+		export LDFLAGS="-ffunction-sections -Wl,--stub-group-size=25000"
+	fi
+
+	gnome2_src_compile
+}
+
+pkg_postinst() {
+	gnome2_pkg_postinst
+
+	elog "To change the default browser if you are not using GNOME, do:"
+	elog "gconftool-2 --set /desktop/gnome/url-handlers/http/command -t string 'mozilla %s'"
+	elog "gconftool-2 --set /desktop/gnome/url-handlers/https/command -t string 'mozilla %s'"
+	elog ""
+	elog "Replace 'mozilla %s' with which ever browser you use."
+	elog ""
+	elog "Junk filters are now a run-time choice. You will get a choice of"
+	elog "bogofilter or spamassassin based on which you have installed"
+	elog ""
+	elog "You have to install one of these for the spam filtering to actually work"
+}
diff --git a/mail-client/evolution/files/evolution-CVE-2008-0072.patch b/mail-client/evolution/files/evolution-CVE-2008-0072.patch
new file mode 100644
index 000000000000..7c371189c486
--- /dev/null
+++ b/mail-client/evolution/files/evolution-CVE-2008-0072.patch
@@ -0,0 +1,61 @@
+A format string error in the "emf_multipart_encrypted()" function in
+mail/em-format.c when displaying the "Version:" field from an encrypted
+e-mail message can be exploited to execute arbitrary code via a
+specially crafted e-mail message.
+
+Successful exploitation requires that the user opens a malicious e-mail
+message.
+
+Ulf Harnhammar, Secunia Research.
+
+SA29057 and CVE-2008-0072
+
+Index: mail/em-format.c
+===================================================================
+--- mail/em-format.c	(revision 35096)
++++ mail/em-format.c	(working copy)
+@@ -1193,7 +1193,7 @@ emf_application_xpkcs7mime(EMFormat *emf
+ 	opart = camel_mime_part_new();
+ 	valid = camel_cipher_decrypt(context, part, opart, ex);
+ 	if (valid == NULL) {
+-		em_format_format_error(emf, stream, ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
++		em_format_format_error(emf, stream, "%s", ex->desc?ex->desc:_("Could not parse S/MIME message: Unknown error"));
+ 		em_format_part_as(emf, stream, part, NULL);
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1350,7 +1350,7 @@ emf_multipart_encrypted(EMFormat *emf, C
+ 	if (valid == NULL) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP/MIME message"):_("Could not parse PGP/MIME message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_part_as(emf, stream, part, "multipart/mixed");
+ 	} else {
+ 		if (emfc == NULL)
+@@ -1515,7 +1515,7 @@ emf_multipart_signed(EMFormat *emf, Came
+ 		if (valid == NULL) {
+ 			em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 			if (ex->desc)
+-				em_format_format_error(emf, stream, ex->desc);
++				em_format_format_error(emf, stream, "%s", ex->desc);
+ 			em_format_part_as(emf, stream, part, "multipart/mixed");
+ 		} else {
+ 			if (emfc == NULL)
+@@ -1586,7 +1586,7 @@ emf_inlinepgp_signed(EMFormat *emf, Came
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Error verifying signature"):_("Unknown error verifying signature"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);
+@@ -1658,7 +1658,7 @@ emf_inlinepgp_encrypted(EMFormat *emf, C
+ 	if (!valid) {
+ 		em_format_format_error(emf, stream, ex->desc?_("Could not parse PGP message"):_("Could not parse PGP message: Unknown error"));
+ 		if (ex->desc)
+-			em_format_format_error(emf, stream, ex->desc);
++			em_format_format_error(emf, stream, "%s", ex->desc);
+ 		em_format_format_source(emf, stream, ipart);
+ 		/* I think this will loop: em_format_part_as(emf, stream, part, "text/plain"); */
+ 		camel_exception_free(ex);