gnu: evolution: Fix CVE-2020-11879.

* gnu/packages/patches/evolution-CVE-2020-11879.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/gnome.scm (evolution): Apply it.

diff --git a/gnu/local.mk b/gnu/local.mk
index e24cee8..9e20260 100644 (file)
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -973,6 +973,7 @@ dist_patch_DATA =                                           \
   %D%/packages/patches/erlang-man-path.patch                   \
   %D%/packages/patches/eudev-rules-directory.patch             \
   %D%/packages/patches/evilwm-lost-focus-bug.patch             \
+  %D%/packages/patches/evolution-CVE-2020-11879.patch          \
   %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch      \
   %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch      \
   %D%/packages/patches/evolution-data-server-locales.patch     \

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 1db2de4..5ee28ee 100644 (file)
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -10711,7 +10711,8 @@ generic enough to work for everyone.")
                                   "evolution-" version ".tar.xz"))
               (sha256
                (base32
-                "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c"))))
+                "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c"))
+              (patches (search-patches "evolution-CVE-2020-11879.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:imported-modules (,@%cmake-build-system-modules

diff --git a/gnu/packages/patches/evolution-CVE-2020-11879.patch b/gnu/packages/patches/evolution-CVE-2020-11879.patch
new file mode 100644 (file)
index 0000000..8c85895
--- /dev/null
+++ b/gnu/packages/patches/evolution-CVE-2020-11879.patch
@@ -0,0 +1,122 @@
+From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Wed, 12 Feb 2020 18:59:52 +0100
+Subject: [PATCH] I#784 - Warn about and limit what can be attached using
+ mailto: URI
+
+Closes https://gitlab.gnome.org/GNOME/evolution/issues/784
+---
+ src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------
+ src/e-util/e-system.error.xml |  7 ++++-
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c
+index e4c9ac095e..cd3168d882 100644
+--- a/src/composer/e-msg-composer.c
++++ b/src/composer/e-msg-composer.c
+@@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer,
+       gchar *header, *content, *buf;
+       gsize nread, nwritten;
+       const gchar *p;
+-      gint len, clen;
++      gint len, clen, has_attachments = 0;
++      gboolean has_blacklisted_attachment = FALSE;
+ 
+       table = e_msg_composer_get_header_table (composer);
+       view = e_msg_composer_get_attachment_view (composer);
+@@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer,
+                       } else if (!g_ascii_strcasecmp (header, "attach") ||
+                                  !g_ascii_strcasecmp (header, "attachment")) {
+                               EAttachment *attachment;
++                              GFile *file;
+ 
+                               camel_url_decode (content);
+-                              if (file_is_blacklisted (content))
+-                                      e_alert_submit (
+-                                              E_ALERT_SINK (e_msg_composer_get_editor (composer)),
+-                                              "mail:blacklisted-file",
+-                                              content, NULL);
+                               if (g_ascii_strncasecmp (content, "file:", 5) == 0)
+                                       attachment = e_attachment_new_for_uri (content);
+                               else
+                                       attachment = e_attachment_new_for_path (content);
+-                              e_attachment_store_add_attachment (store, attachment);
+-                              e_attachment_load_async (
+-                                      attachment, (GAsyncReadyCallback)
+-                                      e_attachment_load_handle_error, composer);
++                              file = e_attachment_ref_file (attachment);
++                              if (!file || !g_file_peek_path (file) ||
++                                  !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) ||
++                                  g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) {
++                                      /* Do nothing, simply ignore the attachment request */
++                              } else {
++                                      has_attachments++;
++
++                                      if (file_is_blacklisted (content)) {
++                                              has_blacklisted_attachment = TRUE;
++                                              e_alert_submit (
++                                                      E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++                                                      "mail:blacklisted-file",
++                                                      content, NULL);
++                                      }
++
++                                      e_attachment_store_add_attachment (store, attachment);
++                                      e_attachment_load_async (
++                                              attachment, (GAsyncReadyCallback)
++                                              e_attachment_load_handle_error, composer);
++                              }
+                               g_object_unref (attachment);
++                              g_clear_object (&file);
+                       } else if (!g_ascii_strcasecmp (header, "from")) {
+                               /* Ignore */
+                       } else if (!g_ascii_strcasecmp (header, "reply-to")) {
+@@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer,
+ 
+       g_free (buf);
+ 
++      if (has_attachments && !has_blacklisted_attachment) {
++              const gchar *primary;
++              gchar *secondary;
++
++              primary = g_dngettext (GETTEXT_PACKAGE,
++                      "Review attachment before sending.",
++                      "Review attachments before sending.",
++                      has_attachments);
++
++              secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE,
++                      "There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.",
++                      "There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.",
++                      has_attachments),
++                      has_attachments);
++
++              e_alert_submit (
++                      E_ALERT_SINK (e_msg_composer_get_editor (composer)),
++                      "system:generic-warning",
++                      primary, secondary, NULL);
++
++              g_free (secondary);
++      }
++
+       merge_always_cc_and_bcc (table, to, &cc, &bcc);
+ 
+       tov = destination_list_to_vector (to);
+diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml
+index ddcf989fda..02facb7d26 100644
+--- a/src/e-util/e-system.error.xml
++++ b/src/e-util/e-system.error.xml
+@@ -1,6 +1,11 @@
+ <?xml version="1.0"?>
+ <error-list domain="system">
+-  <error type="error" id="generic-error">
++  <error id="generic-error" type="error">
++    <primary>{0}</primary>
++    <secondary>{1}</secondary>
++  </error>
++
++  <error id="generic-warning" type="warning">
+     <primary>{0}</primary>
+     <secondary>{1}</secondary>
+   </error>
+-- 
+GitLab
+