Resolves: #1677651 (CVE-2018-15587 reposition signature bar)

Add BuildRequires/Requires for 'killall' binary
With this `evolution --force-shutdown`, alias killev, will find it and will be able to stop evolution(-data-server) processes. It could look also for 'pkill', but none of these seems to be part of build root anymore. Having explicit dependency is better anyway.
2019-02-18 12:44:32 +01:00 · 2018-10-26 14:05:22 +02:00 · 2018-07-30 16:21:02 +02:00 · 2018-07-16 14:41:52 +02:00 · 2018-06-18 11:46:52 +02:00 · 2018-05-07 10:57:40 +02:00
8 changed files with 3058 additions and 260 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,150 @@
-/evolution-*.tar.xz
+evolution-2.31.5.tar.bz2
+/evolution-2.31.91.tar.bz2
+/evolution-2.31.92.tar.bz2
+/evolution-2.91.0.tar.bz2
+/evolution-2.91.1.tar.bz2
+/evolution-2.91.2.tar.bz2
+/evolution-2.91.3.tar.bz2
+/evolution-2.91.4.tar.bz2
+/evolution-2.91.5.tar.bz2
+/evolution-2.91.6.tar.bz2
+/evolution-2.91.6.1.tar.bz2
+/evolution-2.91.6.2.tar.bz2
+/evolution-2.91.90.tar.bz2
+/evolution-2.91.91.tar.bz2
+/evolution-2.91.92.tar.bz2
+/evolution-3.0.0.tar.bz2
+/evolution-3.1.1.tar.bz2
+/evolution-3.1.2.tar.bz2
+/evolution-3.1.3.tar.bz2
+/evolution-3.1.4.tar.bz2
+/evolution-3.1.5.tar.bz2
+/evolution-3.1.90.tar.xz
+/evolution-3.1.91.tar.xz
+/evolution-3.1.92.tar.xz
+/evolution-3.2.0.tar.xz
+/evolution-3.3.1.tar.xz
+/evolution-3.3.2.tar.xz
+/evolution-3.3.3.tar.xz
+/evolution-3.3.4.tar.xz
+/evolution-3.3.5.tar.xz
+/evolution-3.3.90.tar.xz
+/evolution-3.3.91.tar.xz
+/evolution-3.3.92.tar.xz
+/evolution-3.4.0.tar.xz
+/evolution-3.4.0.1.tar.xz
+/evolution-3.4.1.tar.xz
+/evolution-3.5.1.tar.xz
+/evolution-3.5.2.tar.xz
+/evolution-3.5.3.tar.xz
+/evolution-3.5.3.1.tar.xz
+/evolution-3.5.4.tar.xz
+/evolution-3.5.5.tar.xz
+/evolution-3.5.90.tar.xz
+/evolution-3.5.91.tar.xz
+/evolution-3.5.92.tar.xz
+/evolution-3.6.0.tar.xz
+/evolution-3.7.1.tar.xz
+/evolution-3.7.2.tar.xz
+/evolution-3.7.3.1.tar.xz
+/evolution-3.7.3.2.tar.xz
+/evolution-3.7.4.tar.xz
+/evolution-3.7.5.tar.xz
+/evolution-3.7.90.tar.xz
+/evolution-3.7.91.tar.xz
+/evolution-3.7.92.tar.xz
+/evolution-3.8.0.tar.xz
+/evolution-3.9.1.tar.xz
+/evolution-3.9.2.tar.xz
+/evolution-3.9.3.tar.xz
+/evolution-3.9.4.tar.xz
+/evolution-3.9.5.tar.xz
+/evolution-3.9.90.tar.xz
+/evolution-3.9.91.tar.xz
+/evolution-3.9.92.tar.xz
+/evolution-3.10.0.tar.xz
+/evolution-3.10.1.tar.xz
+/evolution-3.11.1.tar.xz
+/evolution-3.11.2.tar.xz
+/evolution-3.11.4.tar.xz
+/evolution-3.11.5.tar.xz
+/evolution-3.11.90.tar.xz
+/evolution-3.11.91.tar.xz
+/evolution-3.11.92.tar.xz
+/evolution-3.12.0.tar.xz
+/evolution-3.12.1.tar.xz
+/evolution-3.12.2.tar.xz
+/evolution-3.12.3.tar.xz
+/evolution-3.12.4.tar.xz
+/evolution-3.13.4.tar.xz
+/evolution-3.13.5.tar.xz
+/evolution-3.13.6.tar.xz
+/evolution-3.13.7.tar.xz
+/evolution-3.13.8.tar.xz
+/evolution-3.13.9.tar.xz
+/evolution-3.13.10.tar.xz
+/evolution-3.13.90.tar.xz
+/evolution-3.15.91.tar.xz
+/evolution-3.15.92.tar.xz
+/evolution-3.16.0.tar.xz
+/evolution-3.16.1.tar.xz
+/evolution-3.17.1.tar.xz
+/evolution-3.17.2.tar.xz
+/evolution-3.17.3.tar.xz
+/evolution-3.17.4.tar.xz
+/evolution-3.17.90.tar.xz
+/evolution-3.17.91.tar.xz
+/evolution-3.17.92.tar.xz
+/evolution-3.18.0.tar.xz
+/evolution-3.18.1.tar.xz
+/evolution-3.19.1.tar.xz
+/evolution-3.19.2.tar.xz
+/evolution-3.19.3.tar.xz
+/evolution-3.19.4.tar.xz
+/evolution-3.19.90.tar.xz
+/evolution-3.19.91.tar.xz
+/evolution-3.19.92.tar.xz
+/evolution-3.20.0.tar.xz
+/evolution-3.20.1.tar.xz
+/evolution-3.21.1.tar.xz
+/evolution-3.21.2.tar.xz
+/evolution-3.21.3.tar.xz
+/evolution-3.21.4.tar.xz
+/evolution-3.21.90.tar.xz
+/evolution-3.21.91.tar.xz
+/evolution-3.21.92.tar.xz
+/evolution-3.22.0.tar.xz
+/evolution-3.22.1.tar.xz
+/evolution-3.23.1.tar.xz
+/evolution-3.23.2.tar.xz
+/evolution-3.23.3.tar.xz
+/evolution-3.23.4.tar.xz
+/evolution-3.23.90.tar.xz
+/evolution-3.23.91.tar.xz
+/evolution-3.23.92.tar.xz
+/evolution-3.24.0.tar.xz
+/evolution-3.24.1.tar.xz
+/evolution-3.25.1.tar.xz
+/evolution-3.25.2.tar.xz
+/evolution-3.25.3.tar.xz
+/evolution-3.25.4.tar.xz
+/evolution-3.25.90.tar.xz
+/evolution-3.25.91.tar.xz
+/evolution-3.25.92.tar.xz
+/evolution-3.25.92.1.tar.xz
+/evolution-3.25.92.2.tar.xz
+/evolution-3.26.0.tar.xz
+/evolution-3.26.1.tar.xz
+/evolution-3.27.1.tar.xz
+/evolution-3.27.2.tar.xz
+/evolution-3.27.3.tar.xz
+/evolution-3.27.4.tar.xz
+/evolution-3.27.90.tar.xz
+/evolution-3.27.91.tar.xz
+/evolution-3.27.92.tar.xz
+/evolution-3.28.0.tar.xz
+/evolution-3.28.1.tar.xz
+/evolution-3.28.2.tar.xz
+/evolution-3.28.3.tar.xz
+/evolution-3.28.4.tar.xz
+/evolution-3.28.5.tar.xz
--- a/configurable-dbus-prefix.patch
+++ b/configurable-dbus-prefix.patch
@ -1,42 +0,0 @@
-diff -up evolution-3.48.1 evolution-3.48
-diff -up evolution-3.48.1/docs/evolution.1 evolution-3.48.1/docs/evolution
-diff -up evolution-3.48.1/src/modules/backup-restore/evolution-backup-tool.c.1 evolution-3.48.1/src/modules/backup-restore/evolution-backup-tool.c
--- evolution-3.48.1/src/modules/backup-restore/evolution-backup-tool.c.1	2023-11-27 13:12:25.099463743 -0500
-+++ evolution-3.48.1/src/modules/backup-restore/evolution-backup-tool.c	2023-11-27 13:14:38.640243434 -0500
-@@ -674,7 +674,7 @@ get_source_manager_reload_command (void)
- 			g_string_free (tmp, TRUE);
- 			tmp = NULL;
- 
-			base_filename = g_strdup (EDS_SOURCES_DBUS_SERVICE_NAME);
-+			base_filename = g_ascii_strdown (EDS_SOURCES_DBUS_SERVICE_NAME, -1);
- 
- 			if (!base_filename || !*base_filename) {
- 				g_free (base_filename);
-@@ -690,14 +690,16 @@ get_source_manager_reload_command (void)
- 
- 			while (!tmp) {
- 				const gchar *name;
-+				gchar *name_down;
- 
- 				name = g_dir_read_name (dir);
-+				name_down = g_ascii_strdown (name, -1);
- 
- 				if (!name)
- 					break;
- 
-				if (g_ascii_strncasecmp (name, base_filename, base_filename_len) == 0 &&
-				    g_ascii_strncasecmp (name + strlen (name) - 8, ".service", 8) == 0) {
-+				if (strstr (name_down, base_filename) != NULL &&
-+				    strncmp (name_down + strlen (name) - 8, ".service", 8) == 0) {
- 					gchar *filename;
- 
- 					filename = g_strconcat ("$DBUSDATADIR", G_DIR_SEPARATOR_S, name, NULL);
-@@ -724,6 +726,8 @@ get_source_manager_reload_command (void)
- 						g_free (str);
- 					}
- 				}
-+
-+				g_free (name_down);
- 			}
- 
- 			g_free (base_filename);
--- a/evolution-3.28.5-cve-2018-15587-reposition-signature-bar.patch
+++ b/evolution-3.28.5-cve-2018-15587-reposition-signature-bar.patch
@ -0,0 +1,80 @@
+diff -up evolution-3.28.5/src/em-format/e-mail-parser.c.cve-2018-15587-reposition-signature-bar evolution-3.28.5/src/em-format/e-mail-parser.c
+--- evolution-3.28.5/src/em-format/e-mail-parser.c.cve-2018-15587-reposition-signature-bar	2018-07-30 15:37:05.000000000 +0200
+++ evolution-3.28.5/src/em-format/e-mail-parser.c	2019-02-18 12:14:59.352466607 +0100
+@@ -79,6 +79,67 @@ GType e_mail_parser_application_smime_ge
+ static gpointer parent_class;
+ 
+ static void
+mail_parser_move_security_before_headers (GQueue *part_queue)
+{
+	GList *link, *last_headers = NULL;
+	GSList *headers_stack = NULL;
+
+	link = g_queue_peek_head_link (part_queue);
+	while (link) {
+		EMailPart *part = link->data;
+		const gchar *id;
+
+		if (!part) {
+			link = g_list_next (link);
+			continue;
+		}
+
+		id = e_mail_part_get_id (part);
+		if (!id) {
+			link = g_list_next (link);
+			continue;
+		}
+
+		if (g_str_has_suffix (id, ".rfc822")) {
+			headers_stack = g_slist_prepend (headers_stack, last_headers);
+			last_headers = NULL;
+		} else if (g_str_has_suffix (id, ".rfc822.end")) {
+			g_warn_if_fail (headers_stack != NULL);
+
+			if (headers_stack) {
+				last_headers = headers_stack->data;
+				headers_stack = g_slist_remove (headers_stack, last_headers);
+			} else {
+				last_headers = NULL;
+			}
+		}
+
+		if (g_strcmp0 (e_mail_part_get_mime_type (part), "application/vnd.evolution.headers") == 0) {
+			last_headers = link;
+			link = g_list_next (link);
+		} else if (g_strcmp0 (e_mail_part_get_mime_type (part), "application/vnd.evolution.secure-button") == 0) {
+			g_warn_if_fail (last_headers != NULL);
+
+			if (last_headers) {
+				GList *next = g_list_next (link);
+
+				g_warn_if_fail (g_queue_remove (part_queue, part));
+				g_queue_insert_before (part_queue, last_headers, part);
+
+				link = next;
+			} else {
+				link = g_list_next (link);
+			}
+		} else {
+			link = g_list_next (link);
+		}
+	}
+
+	g_warn_if_fail (headers_stack == NULL);
+	g_slist_free (headers_stack);
+}
+
+static void
+ mail_parser_run (EMailParser *parser,
+                  EMailPartList *part_list,
+                  GCancellable *cancellable)
+@@ -132,6 +193,8 @@ mail_parser_run (EMailParser *parser,
+ 			break;
+ 	}
+ 
+	mail_parser_move_security_before_headers (&mail_part_queue);
+
+ 	while (!g_queue_is_empty (&mail_part_queue)) {
+ 		mail_part = g_queue_pop_head (&mail_part_queue);
+ 		e_mail_part_list_add_part (part_list, mail_part);
--- a/evolution.spec
+++ b/evolution.spec
--- a/flatpak-evolution-fix-service-names.sh
+++ b/flatpak-evolution-fix-service-names.sh
@ -1,10 +0,0 @@
-#!/bin/bash
-
-# see https://gitlab.gnome.org/GNOME/glib/issues/1737
-# previous versions used milliseconds instead of seconds as the timeout argument",
-(`pkg-config --atleast-version 2.60.1 gio-2.0` || `pkg-config --atleast-version 2.61.0 gio-2.0`) && TIMEOUTMULT= || TIMEOUTMULT=000
-
-sed -e "s|\@SOURCES_SERVICE\@|$(pkg-config --variable=sourcesdbusservicename evolution-data-server-1.2)|" \
-    -e "s|\@ADDRESSBOOK_SERVICE\@|$(pkg-config --variable=addressbookdbusservicename evolution-data-server-1.2)|" \
-    -e "s|\@CALENDAR_SERVICE\@|$(pkg-config --variable=calendardbusservicename evolution-data-server-1.2)|" \
-    -e "s|\@TIMEOUTMULT\@|${TIMEOUTMULT}|"
--- a/flatpak-evolution-wrapper.sh.in
+++ b/flatpak-evolution-wrapper.sh.in
@ -1,29 +0,0 @@
-#!/bin/bash
-
-if [ "$1" = "--quit" -o "$1" = "--force-shutdown" ]; then
-   /app/bin/evolution.bin "$@"
-else
-   export BOGOFILTER_DIR="${XDG_DATA_HOME}/bogofilter/"
-   export GIO_USE_NETWORK_MONITOR=base
-   gsettings reset org.gnome.evolution-data-server network-monitor-gio-name
-
-   LINES=$(gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames | grep @SOURCES_SERVICE@ | wc -l)
-   if [ "${LINES}" = "0" ]; then
-      /app/libexec/evolution-source-registry &
-      gdbus wait --session --timeout=1@TIMEOUTMULT@ @SOURCES_SERVICE@
-   fi
-
-   LINES=$(gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames | grep @ADDRESSBOOK_SERVICE@ | wc -l)
-   if [ "${LINES}" = "0" ]; then
-      /app/libexec/evolution-addressbook-factory -r &
-      gdbus wait --session --timeout=1@TIMEOUTMULT@ @ADDRESSBOOK_SERVICE@
-   fi
-
-   LINES=$(gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames | grep @CALENDAR_SERVICE@ | wc -l)
-   if [ "${LINES}" = "0" ]; then
-      /app/libexec/evolution-calendar-factory -r &
-      gdbus wait --session --timeout=1@TIMEOUTMULT@ @CALENDAR_SERVICE@
-   fi
-
-   /app/bin/evolution.bin "$@"
-fi
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,5 +0,0 @@
---
-runpath:
-    allowed_paths:
-        - /usr/lib/evolution
-        - /usr/lib64/evolution
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (evolution-3.59.1.tar.xz) = 26d6d4dfcdbc3d89f88d9e24096c7ff910d221119def75d7f80a397f682be96860726832c7c62b46769ce9cfcc15e5844cbcc016facc9b21b4eb9bbb2c17360d
+SHA512 (evolution-3.28.5.tar.xz) = a8c844afeefe3fd92f9414703222a514ac31f56ed9d8bafd5b04fd2e668720c665179d5bbc878c03bc4c886dc3171fbec181f12faea72bf2b144726bb13e01c7
Author	SHA1	Message	Date
Milan Crha	31b9b16ac5	Resolves: #1677651 (CVE-2018-15587 reposition signature bar)	2019-02-18 12:44:32 +01:00
Milan Crha	96851c33ca	Add BuildRequires/Requires for 'killall' binary With this `evolution --force-shutdown`, alias killev, will find it and will be able to stop evolution(-data-server) processes. It could look also for 'pkill', but none of these seems to be part of build root anymore. Having explicit dependency is better anyway.	2018-10-26 14:05:22 +02:00
Milan Crha	f3cb602ba6	Update to 3.28.5	2018-07-30 16:21:02 +02:00
Milan Crha	1983bd49dc	Update to 3.28.4	2018-07-16 14:41:52 +02:00
Milan Crha	98c2d2eca0	Update to 3.28.3	2018-06-18 11:46:52 +02:00
Milan Crha	12411c4b7f	Update to 3.28.2	2018-05-07 10:57:40 +02:00
Adam Williamson	1261f6702d	Backport fix to strip closing > from URLs when linkifying	2018-04-10 12:01:56 -07:00
Milan Crha	024154180f	Update to 3.28.1	2018-04-09 12:32:49 +02:00
Milan Crha	38e911d3f7	Update to 3.28.0	2018-03-12 10:28:57 +01:00
Milan Crha	32da9b9a08	Update to 3.27.92	2018-03-05 11:58:23 +01:00