- Revise patch for RH bug #235290 to not break string freeze.

2007-04-30 20:58:25 +00:00 · 2007-04-30 20:58:25 +00:00 · 1d8712e370
commit 1d8712e370
parent ec880f9f66
2 changed files with 11 additions and 7 deletions
--- a/evolution-data-server-1.10.1-apop-auth-vulnerability.patch
+++ b/evolution-data-server-1.10.1-apop-auth-vulnerability.patch
@ -1,5 +1,5 @@
 --- evolution-data-server-1.10.1/camel/providers/pop3/camel-pop3-store.c.apop-auth-vulnerability	2007-04-09 08:42:37.000000000 -0400
-+++ evolution-data-server-1.10.1/camel/providers/pop3/camel-pop3-store.c	2007-04-24 16:12:28.000000000 -0400
+++ evolution-data-server-1.10.1/camel/providers/pop3/camel-pop3-store.c	2007-04-30 16:42:12.000000000 -0400
@@ -34,6 +34,7 @@
 #include <string.h>
 #include <unistd.h>
@ -8,25 +8,26 @@
 
 #include "camel-operation.h"
 
-@@ -489,6 +490,21 @@
+@@ -489,7 +490,21 @@
 	} else if (strcmp(service->url->authmech, "+APOP") == 0 && store->engine->apop) {
 		char *secret, md5asc[33], *d;
 		unsigned char md5sum[16], *s;
+-		
 +
 +		d = store->engine->apop;
 +
 +		while (*d != '\0') {
 +			if (!isascii((int)*d)) {
+
 +				camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_URL_INVALID,
-+						_("Unable to connect to POP server %s: "
-+						"Invalid APOP ID received. Impersonation attack "
-+						"suspected. Please contact your admin."),
+						_("Unable to connect to POP server %s: "),
 +						CAMEL_SERVICE (store)->url->host);
 +
 +				return FALSE;
 +			}
 +			d++;
 +		}
- 		
+
 		secret = g_alloca(strlen(store->engine->apop)+strlen(service->url->passwd)+1);
 		sprintf(secret, "%s%s",  store->engine->apop, service->url->passwd);
+ 		md5_get_digest(secret, strlen (secret), md5sum);
--- a/evolution-data-server.spec
+++ b/evolution-data-server.spec
@ -26,7 +26,7 @@

 Name: evolution-data-server
 Version: 1.10.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL
 Group: System Environment/Libraries
 Summary: Backend data server for Evolution
@ -392,6 +392,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/pkgconfig/libexchange-storage-%{eds_api_version}.pc

 %changelog
+* Mon Apr 30 2007 Matthew Barnes <mbarnes@redhat.com> - 1.10.1-3.fc7
+- Revise patch for RH bug #235290 to not break string freeze.
+
 * Tue Apr 24 2007 Matthew Barnes <mbarnes@redhat.com> - 1.10.1-2.fc7
 - Add patch for RH bug #235290 (APOP authentication vulnerability).