Summary: | <gnome-extra/evolution-data-server-2.24.5-r3 S/MIME signature spoofing (CVE-2009-0547) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.gnome.org/show_bug.cgi?id=564465 | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 238650 |
Description
Robert Buchholz (RETIRED)
2009-02-13 17:45:24 UTC
I have backported versions of this; however, all my s/mime signed messages are failing now. I've commented on the upstream bug, and will wait to commit until they respond. Okay, upstream as re-fixed this, and I've verified it. Committed as: evolution-2.24.5-r1 evolution-2.22.3-r2 2.24.5 is being stabilized as part of bug #260063 so this bug interacts with that one. Arches, please test and mark stable (depending on your state of bug 260063): =gnome-extra/evolution-data-server-2.22.3-r2 =gnome-extra/evolution-data-server-2.24.5-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" building evolution with 2.22.3-r2 fails here (builds fine with gnome-extra/evolution-data-server-2.22.3-r1): i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -Wall -Wmissing-prototypes -Wno-sign-compare -Wl,-O1 -o .libs/test-calendar test-calendar.o -pthread ./.libs/libemiscwidgets.so ../../e-util/.libs/libeutil.so /usr/lib/libgnomeui-2.so /usr/lib/libSM.so /usr/lib/libICE.so /usr/lib/libbonoboui-2.so /usr/lib/libgnomevfs-2.so /usr/lib/libgnomecanvas-2.so /usr/lib/libart_lgpl_2.so /usr/lib/libedataserverui-1.2.so /usr/lib/libglade-2.0.so /usr/lib/libebook-1.2.so /usr/lib/libgtk-x11-2.0.so /usr/lib/libgdk-x11-2.0.so /usr/lib/libatk-1.0.so /usr/lib/libgdk_pixbuf-2.0.so /usr/lib/libpangocairo-1.0.so /usr/lib/libpango-1.0.so /usr/lib/libcairo.so /usr/lib/libgnome-2.so /usr/lib/libpopt.so /usr/lib/libedataserver-1.2.so /usr/lib/libxml2.so /usr/lib/libgconf-2.so /usr/lib/libbonobo-2.so /usr/lib/libbonobo-activation.so /usr/lib/libgmodule-2.0.so -ldl /usr/lib/libORBit-2.so /usr/lib/libgthread-2.0.so -lrt /usr/lib/libgobject-2.0.so /usr/lib/libglib-2.0.so -Wl,--rpath -Wl,/usr/lib/evolution/2.22 /usr/lib/libcamel-provider-1.2.so.11: undefined reference to `set_nss_error' collect2: ld returned 1 exit status make[3]: *** [test-calendar] Error 1 make[3]: *** Waiting for unfinished jobs.... I get the same error on alpha. Sorry, It didn't occur to me to rebuild evo against it. I've fixed both the 2.22 and the 2.24 versions, and test built evo against them. amd64/x86 stable ppc64 done Both stable on alpha. ia64 stable for both, sparc only for 2.22, since 2.24 sigbuses and stuff... ppc done =gnome-extra/evolution-data-server-2.22.3-r2 stable for HPPA. GNOME 2.24 will happen in due time. after patch CVE-2009-0547 my evo doesn't show properly some smime signed messages. It only shows "Digests missing from enveloped data". So I checked 2.24.5-r1 2.24.5-r2 and 2.24.5. 2.24.5 works ok. Then I commented out patch CVE-2009-0547 from 2.24.5-r2 ebuild and now every messages are visible. Could you explain what is wrong with this patch or my emails? There's been a regression due to the patch, upstream has committed a revised version. The regression has been fixed in this commit: http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10194 gnome, can you update the patch so we can re-stable ? Thanks! (In reply to comment #16) > The regression has been fixed in this commit: > http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10194 > > gnome, can you update the patch so we can re-stable ? Thanks! > in 2.24.5-r3, sorry for taking so long. Arches, please test and mark stable: =gnome-extra/evolution-data-server-2.24.5-r3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" x86 stable Marked ppc/ppc64 stable. Stable for HPPA. amd64 stable alpha/arm/ia64/sparc stable GLSA con bug 261203. ping ? all of gnome 2.24 is going away soon. This issue has been fixed since Aug 02, 2009. No GLSA will be issued. |