fix minor password disclosure in system tray, see security bug 443500

Package-Manager: portage-2.1.11.31/cvs/Linux i686
Manifest-Sign-Key: 0x2B859DE3

4 files changed, 199 insertions, 5 deletions

diff --git a/mail-client/claws-mail-vcalendar/ChangeLog b/mail-client/claws-mail-vcalendar/ChangeLog
index bf165784f1f2..0765bfca31ca 100644
--- a/mail-client/claws-mail-vcalendar/ChangeLog
+++ b/mail-client/claws-mail-vcalendar/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for mail-client/claws-mail-vcalendar
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/claws-mail-vcalendar/ChangeLog,v 1.120 2012/10/31 18:50:10 nativemad Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/claws-mail-vcalendar/ChangeLog,v 1.121 2012/11/18 11:07:20 fauli Exp $
+
+*claws-mail-vcalendar-2.0.13-r1 (18 Nov 2012)
+
+  18 Nov 2012; Christian Faulhammer <fauli@gentoo.org>
+  +claws-mail-vcalendar-2.0.13-r1.ebuild,
+  +files/claws-mail-vcalendar-2.0.13_password-disclosure.patch:
+  fix minor password disclosure in system tray, see security bug 443500
 
   31 Oct 2012; Andreas Schuerch <nativemad@gentoo.org>
   claws-mail-vcalendar-2.0.13.ebuild:
diff --git a/mail-client/claws-mail-vcalendar/Manifest b/mail-client/claws-mail-vcalendar/Manifest
index 0c2c746ce2ba..ebc3ec64d1f2 100644
--- a/mail-client/claws-mail-vcalendar/Manifest
+++ b/mail-client/claws-mail-vcalendar/Manifest
@@ -1,16 +1,18 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX claws-mail-vcalendar-2.0.13_password-disclosure.patch 5015 SHA256 cc432618771d473c15aeb30d7cd81460ac4549b3f23e418b7d5f315633096263 SHA512 4bd2dc92ea4bb9bfe6159ed68ec309c3cd69dd7244e48b4e7b4be349ef8eb90643da93b4f44110888d2e6d23a53196080a551ebbade90e148a2e52573d99f02a WHIRLPOOL 7bcf358455b64600041f0a57a13daab568cb2152893cef7ced9be5d7589958d9ee4922f6fb177c09cf16364ee806f0a83f59dd2a3c71965c7679463b153b3756
 DIST vcalendar-2.0.12.tar.gz 858245 SHA256 0826a874252a9839f88681fb96fedbbfee06c1e843f4188a92f475d7a2615cf7 SHA512 e6eec70beac719de2f2c5e368894c74e2361a7a118f6d8a080f0c56fcf051e1b387ee81e2a9b9ee1da4e7fb35f09bf9a3d16740ff8928d686bc71f7db63d696a WHIRLPOOL 8708640bdc22180803548d0902540e3bffb447ced9f351c9198c0c867339ce1d473f6d4bf5bb3f5006e794319a8cd473c822fd3a9f90fb63c929caa9feccbcc0
 DIST vcalendar-2.0.13.tar.gz 861524 SHA256 8971d3b9e7fc54343b02a86c0ac86847f362bb345a077d2548f4872ff4a0e9b8 SHA512 a8c6a0c0ccb6d47b25468006f3d667a62efa51386c77d508b1b9c8fe00cf94bc9298a8892d49751162e2b283db7d7259d57ccb8ec93dbd59d545329cfe7fb77f WHIRLPOOL 5e832e89ba7c1222dbe926a47a8beb5d381241046e788f6ce9e6a918bce3ae8120a85cb1be92104eb343482b0f09e8923837b434c7f92f2a2fab18210dff4c16
 EBUILD claws-mail-vcalendar-2.0.12.ebuild 923 SHA256 b50be35a3acd3798197202cd09371d5ca0a0a0a2d1c8b5acec21c6f5f182fa4e SHA512 f7dd3293c0709a9aaede287527be3c25b011b7ea3a0acf8ed8bf7ec772201877dac7624a5d1f871ea4e570e4f01135327049d109d4303ff349d1134f81a26645 WHIRLPOOL 44fc507dca2ba6396800ed1133843c3b609be167af213117cb25bcbbce338f0aec88349235a45ea0602c87a3a28cfe5a0207cbc5b897c1a0f44b5c689c763662
+EBUILD claws-mail-vcalendar-2.0.13-r1.ebuild 926 SHA256 4f73d6f3ec283fd0e6739348ea3e54c5e0bad3b47194f2f45497ea71e2bafe50 SHA512 b1b7a77c4671ed1e8e9edb68187eead970dbafe503ad97288467b13ed4c4be3a63f1fce9cf2a0cc482f96793e5e4401b954eb628fb882f65d2059e0522839d24 WHIRLPOOL 1cd28a0dc5364499ed795c6a636acade2c4948bd146b4cad3bf5fa3c5cfbd2dfbc4d49d684ea90dcbf83a5dbe20a32b0122a187bda53be1e28c4307c4cf348d6
 EBUILD claws-mail-vcalendar-2.0.13.ebuild 928 SHA256 8346f781ea39d632ff644b640f67cfa9c801520e07252845f285a41dc338234a SHA512 425b083a6c23b254a30daea8aa39719b159b4d5a171d2dfaa381c4a1ac698b04e767e87ba62c07d0b0d9330f30a90d12f9b5c966a06c3ed39edf4720cb375ae4 WHIRLPOOL 9bdf5f3ff9202f96694835dbdab563878d3466608ac56db70ad195cade6631132abc758f8455013b01653796e7450bb49a3aae8c39d319d03793509404e1bb3f
-MISC ChangeLog 16365 SHA256 496b51bdefb2c5e5aa47fda13064c205f3e01734426049314002af9cb5fb4527 SHA512 841c9bea5b7aa5109d0b1b2733128a728d3d85e6fbb009c128b391557440139b61a83e73b5e86bb8b90ad935ff9dd1bc8233292511f37815d0f952fcd80ae2e5 WHIRLPOOL 54bdfe458c27cc4094854c513412773849a974489e055a2e45793416f0e3a8a0b96ce3135d2cb49e047ee4e9945d988949fd627f8c6789059cc39db63c9ace8b
+MISC ChangeLog 16642 SHA256 3e5612e1ab2ec4906354fcfe0b90f2bb5297255c02dec12a0782ddd027f9eeec SHA512 cd05353ac701e9da21d9be449c23a53f21f4c6803056f9b9c4692ed431b18fc8dcfab696dc85c60b0cd864938f32fcf8ac532ab8f62cc524a9ec7d362bf1ebb9 WHIRLPOOL cc4f67d8ea123d6e63b816fe33400b93b6e4dc9098f3533e7560550bc3f27b3c0f59c50c7377838613e6badd419f7b86e77f62fb107f984f00b81761bb135761
 MISC metadata.xml 263 SHA256 fccc92cbfc301eb65d5ea4c614dd69b256cf2a6ddc17fa631e28420d0d2b1622 SHA512 951dba4b79af455c34b4e3519813e09d19c4b6bc0cde462a0917093528f3745d7474f803968da7f16d7e63c9053f41d1f698744f04b6bf606e4ca948993c8701 WHIRLPOOL 0068c0b9e1fd8d29ca3609b0f0d638dd93a4c4ed4b47fc0c336b2407c1b60cd8e4dd6ff5fa17f473280b9bc1c8b2c6580206dd04ed8e3007a72b268541e68188
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEAREIAAYFAlCRcT4ACgkQakKUmsHeVLI4oQCcCR6TihyJtPdLCIpXHq53lEYy
-VWQAnRjPpY0+yzO1lPqti/+uxjlfom3l
-=wkD+
+iEYEAREIAAYFAlCowXwACgkQNQqtfCuFnePyhQCglF1OTQ0Ey+2NK6DoVmogSdmT
+SxMAnjbtKIKLwmi8cO69gwjzVy9E/qBx
+=e17G
 -----END PGP SIGNATURE-----
diff --git a/mail-client/claws-mail-vcalendar/claws-mail-vcalendar-2.0.13-r1.ebuild b/mail-client/claws-mail-vcalendar/claws-mail-vcalendar-2.0.13-r1.ebuild
new file mode 100644
index 000000000000..4e18c5591779
--- /dev/null
+++ b/mail-client/claws-mail-vcalendar/claws-mail-vcalendar-2.0.13-r1.ebuild
@@ -0,0 +1,35 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-client/claws-mail-vcalendar/claws-mail-vcalendar-2.0.13-r1.ebuild,v 1.1 2012/11/18 11:07:20 fauli Exp $
+
+EAPI=4
+
+inherit eutils multilib
+
+MY_P="${P#claws-mail-}"
+
+DESCRIPTION="Plugin for Claws to support the vCalendar meeting format"
+HOMEPAGE="http://www.claws-mail.org/"
+SRC_URI="http://www.claws-mail.org/downloads/plugins/${MY_P}.tar.gz"
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ppc ~ppc64 ~sparc ~x86"
+IUSE=""
+RDEPEND=">=mail-client/claws-mail-3.8.1
+		>=net-misc/curl-7.9.7"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+S="${WORKDIR}/${MY_P}"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}_password-disclosure.patch
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die
+	dodoc AUTHORS ChangeLog README
+
+	# going to conflict with libical
+	rm -f "${D}"/usr/include/ical.h
+}
diff --git a/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch b/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch
new file mode 100644
index 000000000000..4bea430cd31c
--- /dev/null
+++ b/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch
@@ -0,0 +1,150 @@
+In some instances, it might be the case that the only possible way to access a
+calendaring service is through https, and in such cases, the only way to
+authenticate (at least within the confines of vCalendar) is by embedding the
+username:password into the ics URL and/or have a 'private' url that shouldn't
+be shared.  
+
+In either case, after configuring a calendar and trying to access it, the full
+url is displayed in the status tray when trying to poll the calendar, something
+like:
+
+Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...
+
+Thus, use of the vCalendar plugin really isn't suitable or secure for such
+configurations!  In the scenarios above, the former is more of a concern but
+neither is one you'd necessarily want to expose to prying eyes.  Even a google
+calendar "private url", for example, is visible it its entirety within the
+status tray.
+
+SOLUTION:
+Simply display the name that user has given to the calendar subscription in the
+tray instead.  Instead of what is currently displayed, just display something
+like
+
+Fetching 'My Enterprisey Collaboration Suite Calendar..."
+Fetching 'Google Calendar'...
+
+Upstream bug report: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
+Gentoo bug report: https://bugs.gentoo.org/show_bug.cgi?id=443500
+
+--- src/vcal_folder.c	11 Jul 2012 22:01:23 -0000	1.2.2.120
++++ src/vcal_folder.c	16 Nov 2012 09:03:33 -0000	1.2.2.121
+@@ -1609,7 +1609,7 @@
+ 	return GINT_TO_POINTER(0);
+ }
+ 
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
+ {
+ 	gchar *result;
+@@ -1618,25 +1618,19 @@
+ 	pthread_t pt;
+ 	pthread_attr_t pta;
+ #endif
+-	gchar *msg;
+ 	void *res;
+ 	gboolean killed;
+ 	gchar *error = NULL;
+ 	result = NULL;
+ 	td = g_new0(thread_data, 1);
+-	msg = NULL;
+ 	res = NULL;
+ 	killed = FALSE;
+-	
++
+ 	td->url  = url;
+ 	td->result  = NULL;
+ 	td->done = FALSE;
+-	
+-	msg = g_strdup_printf(_("Fetching '%s'..."), url);
+-	
+-	STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
+-	
+-	g_free(msg);
++
++	STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
+ 
+ #ifdef USE_PTHREAD
+ 	if (pthread_attr_init(&pta) != 0 ||
+@@ -1868,7 +1862,8 @@
+ static void update_subscription(const gchar *uri, gboolean verbose)
+ {
+ 	FolderItem *item = get_folder_item_for_uri(uri);
+-	
++	gchar *label;
++
+ 	if (prefs_common_get_prefs()->work_offline) {
+ 		if (!verbose || 
+ 		!inc_offline_should_override(TRUE,
+@@ -1882,7 +1877,11 @@
+ 			return;
+ 	}
+ 	main_window_cursor_wait(mainwindow_get_mainwindow());
+-	vcal_curl_read(uri, verbose, update_subscription_finish);
++
++	label = g_strdup_printf(_("Fetching calendar for %s..."), 
++			item && item->name ? item->name : _("new subscription"));
++	vcal_curl_read(uri, label, verbose, update_subscription_finish);
++	g_free(label);
+ }
+ 
+ static void check_subs_cb(GtkAction *action, gpointer data)
+Index: src/vcal_folder.h
+===================================================================
+RCS file: //plugins/vcalendar/src/vcal_folder.h,v
+retrieving revision 1.1.2.15
+retrieving revision 1.1.2.16
+diff -u -B -u -r1.1.2.15 -r1.1.2.16
+--- src/vcal_folder.h	6 Nov 2011 12:06:21 -0000	1.1.2.15
++++ src/vcal_folder.h	16 Nov 2012 09:03:33 -0000	1.1.2.16
+@@ -36,7 +36,7 @@
+ void vcal_folder_export(Folder *folder);
+ 
+ gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
+ 		*error));
+ gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
+Index: src/vcal_meeting_gtk.c
+===================================================================
+RCS file: //plugins/vcalendar/src/vcal_meeting_gtk.c,v
+retrieving revision 1.1.2.95
+retrieving revision 1.1.2.96
+diff -u -B -u -r1.1.2.95 -r1.1.2.96
+--- src/vcal_meeting_gtk.c	30 Oct 2011 10:12:54 -0000	1.1.2.95
++++ src/vcal_meeting_gtk.c	16 Nov 2012 09:03:33 -0000	1.1.2.96
+@@ -1085,7 +1085,7 @@
+ 
+ 		if (!local_only) {
+ 			remail = g_strdup(email);
+-			g_free(email);
++
+ 			extract_address(remail);
+ 			if (strrchr(remail, ' '))
+ 				user = g_strdup(strrchr(remail, ' ')+1);
+@@ -1125,17 +1125,22 @@
+ 			&& strncmp(tmp, "ftp://", 6))
+ 				contents = file_read_to_str(tmp);
+ 			else {
++				gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
+ 				if (!strncmp(tmp, "webcal://", 9)) {
+ 					gchar *tmp2 = g_strdup_printf("http://%s", tmp+9);
+ 					g_free(tmp);
+ 					tmp = tmp2;
+ 				}
+-				contents = vcal_curl_read(tmp, FALSE, NULL);
++				contents = vcal_curl_read(tmp, label, FALSE, NULL);
++				g_free(label);
+ 			}
+ 		} else {
+ 			contents = NULL;
+ 		}
++
++		g_free(email);
+ 		g_free(tmp);
++
+ 		if (contents == NULL) {
+ 			uncertain = TRUE;
+ 			att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));