rpms/evolution-data-server/FC-6 evolution-data-server-1.8.3-apop-auth-vulnerability.patch, 1.1, 1.2 evolution-data-server.spec, 1.141, 1.142
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 30 21:03:32 UTC 2007
Author: mbarnes
Update of /cvs/dist/rpms/evolution-data-server/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv32439
Modified Files:
evolution-data-server-1.8.3-apop-auth-vulnerability.patch
evolution-data-server.spec
Log Message:
* Mon Apr 30 2007 Matthew Barnes <mbarnes at redhat.com> - 1.8.3-6.fc6
- Revise patch for RH bug #235290 to not break string freeze.
evolution-data-server-1.8.3-apop-auth-vulnerability.patch:
camel-pop3-store.c | 17 ++++++++++++++++-
1 files changed, 16 insertions(+), 1 deletion(-)
Index: evolution-data-server-1.8.3-apop-auth-vulnerability.patch
===================================================================
RCS file: /cvs/dist/rpms/evolution-data-server/FC-6/evolution-data-server-1.8.3-apop-auth-vulnerability.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- evolution-data-server-1.8.3-apop-auth-vulnerability.patch 24 Apr 2007 20:02:51 -0000 1.1
+++ evolution-data-server-1.8.3-apop-auth-vulnerability.patch 30 Apr 2007 21:03:29 -0000 1.2
@@ -1,5 +1,5 @@
--- evolution-data-server-1.8.3/camel/providers/pop3/camel-pop3-store.c.apop-auth-vulnerability 2007-01-29 04:44:18.000000000 -0500
-+++ evolution-data-server-1.8.3/camel/providers/pop3/camel-pop3-store.c 2007-04-24 15:58:21.000000000 -0400
++++ evolution-data-server-1.8.3/camel/providers/pop3/camel-pop3-store.c 2007-04-30 17:02:31.000000000 -0400
@@ -34,6 +34,7 @@
#include <string.h>
#include <unistd.h>
@@ -8,25 +8,26 @@
#include "camel-operation.h"
-@@ -489,6 +490,21 @@
+@@ -489,7 +490,21 @@
} else if (strcmp(service->url->authmech, "+APOP") == 0 && store->engine->apop) {
char *secret, md5asc[33], *d;
unsigned char md5sum[16], *s;
+-
+
+ d = store->engine->apop;
+
+ while (*d != '\0') {
+ if (!isascii((int)*d)) {
++
+ camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_URL_INVALID,
-+ _("Unable to connect to POP server %s: "
-+ "Invalid APOP ID received. Impersonation attack "
-+ "suspected. Please contact your admin."),
++ _("Unable to connect to POP server %s: "),
+ CAMEL_SERVICE (store)->url->host);
+
+ return FALSE;
+ }
+ d++;
+ }
-
++
secret = g_alloca(strlen(store->engine->apop)+strlen(service->url->passwd)+1);
sprintf(secret, "%s%s", store->engine->apop, service->url->passwd);
+ md5_get_digest(secret, strlen (secret), md5sum);
Index: evolution-data-server.spec
===================================================================
RCS file: /cvs/dist/rpms/evolution-data-server/FC-6/evolution-data-server.spec,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -r1.141 -r1.142
--- evolution-data-server.spec 24 Apr 2007 20:02:51 -0000 1.141
+++ evolution-data-server.spec 30 Apr 2007 21:03:29 -0000 1.142
@@ -25,7 +25,7 @@
Name: evolution-data-server
Version: 1.8.3
-Release: 5%{?dist}
+Release: 6%{?dist}
License: LGPL
Group: System Environment/Libraries
Summary: Backend data server for Evolution
@@ -379,6 +379,9 @@
%{_libdir}/pkgconfig/libexchange-storage-%{eds_api_version}.pc
%changelog
+* Mon Apr 30 2007 Matthew Barnes <mbarnes at redhat.com> - 1.8.3-6.fc6
+- Revise patch for RH bug #235290 to not break string freeze.
+
* Tue Apr 24 2007 Matthew Barnes <mbarnes at redhat.com> - 1.8.3-5.fc6
- Add patch for RH bug #235290 (APOP authentication vulnerability).
More information about the fedora-cvs-commits
mailing list