Bug#924616: CVE-2018-15587
Jonas Meurer
jonas at freesources.org
Tue Apr 23 14:32:41 BST 2019
Hello,
Tobias Frost <tobi at debian.org> wrote:
> On Thu, 14 Mar 2019 23:18:39 +0100 Moritz Muehlenhoff <jmm at debian.org>
> wrote:
> > Source: evolution
> > Severity: grave
> > Tags: security
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:
> >
> > https://bugzilla.gnome.org/show_bug.cgi?id=796424
> >
>
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
>
>
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85
>
> I was triaging into it, but unfortunatly cannot solve it...
>
> Summary:
> The second patch seems to be already applied, but the first one seems
> not to be... However, I'm not sure if it does the trick as the speciem
> attached to the forwarded bug shows still up as "verified"...
while working on this issue for Jessie LTS, I prepared a simple NMU
patch to fix the issue in evolution 3.30.5-1 from testing/buster.
Tobias is right that only 9c55a311325f5905d8b8403b96607e46cf343f21 is
missing for evolution, the other relevant commits are already in the
testing/buster version of evolution (3.30.5-1).
It turned out that the upstream commit applies cleanly to 3.30.5-1. I
did some smoke testing and the result was as expected: the security
header with information about encryption/signature of the message moved
above the headers section of the mail.
I opened a merge request[1] on salsa with a patch. I had to merge tag
debian/3.30.5-1 into the debian/buster branch first as it was out of date.
Anybody from the Debian Gnome Team ho wants to do the upload? Otherwise
I could as well do the NMU.
Cheers
jonas
PS: All related commits for evolution-data-server[2] are already in the
Buster version of evolution-data-server.
[1] https://salsa.debian.org/gnome-team/evolution/merge_requests/1
[2]
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a296c64b48d12c356804f131048643eaa0a
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e2415681565e4dac00cf1c4303c313ad29e
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5cd59aee67450e8750eb3cb2d357d0947f199f61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190423/ecec3120/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list