Subject: fix CVE-2012-5527: credentials exposed on interface Author: Colin Leroy <colin@colino.net> Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 Bug-Debian: http://bugs.debian.org/693391 Applied-Upstream: 2.0.14cvs3 diff -urN claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_folder.c claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_folder.c --- claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_folder.c 2011-11-16 06:41:53.000000000 +0100 +++ claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_folder.c 2012-11-17 18:10:24.000000000 +0100 @@ -1609,7 +1609,7 @@ return GINT_TO_POINTER(0); } -gchar *vcal_curl_read(const char *url, gboolean verbose, +gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error)) { gchar *result; @@ -1618,25 +1618,19 @@ pthread_t pt; pthread_attr_t pta; #endif - gchar *msg; void *res; gboolean killed; gchar *error = NULL; result = NULL; td = g_new0(thread_data, 1); - msg = NULL; res = NULL; killed = FALSE; - + td->url = url; td->result = NULL; td->done = FALSE; - - msg = g_strdup_printf(_("Fetching '%s'..."), url); - - STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg); - - g_free(msg); + + STATUSBAR_PUSH(mainwindow_get_mainwindow(), label); #ifdef USE_PTHREAD if (pthread_attr_init(&pta) != 0 || @@ -1868,7 +1862,8 @@ static void update_subscription(const gchar *uri, gboolean verbose) { FolderItem *item = get_folder_item_for_uri(uri); - + gchar *label; + if (prefs_common_get_prefs()->work_offline) { if (!verbose || !inc_offline_should_override(TRUE, @@ -1882,7 +1877,11 @@ return; } main_window_cursor_wait(mainwindow_get_mainwindow()); - vcal_curl_read(uri, verbose, update_subscription_finish); + + label = g_strdup_printf(_("Fetching calendar for %s..."), + item && item->name ? item->name : _("new subscription")); + vcal_curl_read(uri, label, verbose, update_subscription_finish); + g_free(label); } static void check_subs_cb(GtkAction *action, gpointer data) diff -urN claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_folder.h claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_folder.h --- claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_folder.h 2011-11-16 06:41:53.000000000 +0100 +++ claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_folder.h 2012-11-17 18:10:24.000000000 +0100 @@ -36,7 +36,7 @@ void vcal_folder_export(Folder *folder); gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass); -gchar *vcal_curl_read(const char *url, gboolean verbose, +gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error)); gchar* get_item_event_list_for_date(FolderItem *item, EventTime date); diff -urN claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_meeting_gtk.c claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_meeting_gtk.c --- claws-mail-extra-plugins-3.9.0.orig/vcalendar-2.0.14/src/vcal_meeting_gtk.c 2011-10-30 22:24:29.000000000 +0100 +++ claws-mail-extra-plugins-3.9.0/vcalendar-2.0.14/src/vcal_meeting_gtk.c 2012-11-17 18:10:24.000000000 +0100 @@ -1085,7 +1085,7 @@ if (!local_only) { remail = g_strdup(email); - g_free(email); + extract_address(remail); if (strrchr(remail, ' ')) user = g_strdup(strrchr(remail, ' ')+1); @@ -1125,17 +1125,22 @@ && strncmp(tmp, "ftp://", 6)) contents = file_read_to_str(tmp); else { + gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email); if (!strncmp(tmp, "webcal://", 9)) { gchar *tmp2 = g_strdup_printf("http://%s", tmp+9); g_free(tmp); tmp = tmp2; } - contents = vcal_curl_read(tmp, FALSE, NULL); + contents = vcal_curl_read(tmp, label, FALSE, NULL); + g_free(label); } } else { contents = NULL; } + + g_free(email); g_free(tmp); + if (contents == NULL) { uncertain = TRUE; att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));