- Add patch for RH bug #235290 (APOP authentication vulnerability).
This commit is contained in:
parent
921a69f9a4
commit
ec880f9f66
32
evolution-data-server-1.10.1-apop-auth-vulnerability.patch
Normal file
32
evolution-data-server-1.10.1-apop-auth-vulnerability.patch
Normal file
@ -0,0 +1,32 @@
|
||||
--- evolution-data-server-1.10.1/camel/providers/pop3/camel-pop3-store.c.apop-auth-vulnerability 2007-04-09 08:42:37.000000000 -0400
|
||||
+++ evolution-data-server-1.10.1/camel/providers/pop3/camel-pop3-store.c 2007-04-24 16:12:28.000000000 -0400
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
+#include <ctype.h>
|
||||
|
||||
#include "camel-operation.h"
|
||||
|
||||
@@ -489,6 +490,21 @@
|
||||
} else if (strcmp(service->url->authmech, "+APOP") == 0 && store->engine->apop) {
|
||||
char *secret, md5asc[33], *d;
|
||||
unsigned char md5sum[16], *s;
|
||||
+
|
||||
+ d = store->engine->apop;
|
||||
+
|
||||
+ while (*d != '\0') {
|
||||
+ if (!isascii((int)*d)) {
|
||||
+ camel_exception_setv (ex, CAMEL_EXCEPTION_SERVICE_URL_INVALID,
|
||||
+ _("Unable to connect to POP server %s: "
|
||||
+ "Invalid APOP ID received. Impersonation attack "
|
||||
+ "suspected. Please contact your admin."),
|
||||
+ CAMEL_SERVICE (store)->url->host);
|
||||
+
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ d++;
|
||||
+ }
|
||||
|
||||
secret = g_alloca(strlen(store->engine->apop)+strlen(service->url->passwd)+1);
|
||||
sprintf(secret, "%s%s", store->engine->apop, service->url->passwd);
|
@ -26,7 +26,7 @@
|
||||
|
||||
Name: evolution-data-server
|
||||
Version: 1.10.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: LGPL
|
||||
Group: System Environment/Libraries
|
||||
Summary: Backend data server for Evolution
|
||||
@ -78,6 +78,9 @@ Patch22: evolution-data-server-1.9.92-isa-support.patch
|
||||
# GNOME bug #417999
|
||||
Patch23: evolution-data-server-1.10.0-code-cleanup.patch
|
||||
|
||||
# RH bug #235290 / GNOME bug #424373
|
||||
Patch24: evolution-data-server-1.10.1-apop-auth-vulnerability.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Requires: GConf2
|
||||
@ -171,6 +174,7 @@ evolution-data-server.
|
||||
%patch21 -p1 -b .e-passwords
|
||||
%patch22 -p1 -b .isa-support
|
||||
%patch23 -p1 -b .code-cleanup
|
||||
%patch24 -p1 -b .apop-auth-vulnerability
|
||||
|
||||
mkdir -p krb5-fakeprefix/include
|
||||
mkdir -p krb5-fakeprefix/lib
|
||||
@ -388,6 +392,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/pkgconfig/libexchange-storage-%{eds_api_version}.pc
|
||||
|
||||
%changelog
|
||||
* Tue Apr 24 2007 Matthew Barnes <mbarnes@redhat.com> - 1.10.1-2.fc7
|
||||
- Add patch for RH bug #235290 (APOP authentication vulnerability).
|
||||
|
||||
* Mon Apr 09 2007 Matthew Barnes <mbarnes@redhat.com> - 1.10.1-1.fc7
|
||||
- Update to 1.10.1
|
||||
- Remove evolution-data-server-1.10.0-no-more-beeps.patch (fixed upstream).
|
||||
|
Loading…
Reference in New Issue
Block a user