diff options
| author | Alvar Penning <post@0x21.biz> | 2020-08-19 14:29:23 +0200 |
|---|---|---|
| committer | Alvar Penning <post@0x21.biz> | 2020-09-10 10:12:23 +0200 |
| commit | 62eed9ab29ab21b9e89a5519f85b6216e646d32c (patch) | |
| tree | f74ebe2ecb90f0999cdaba632246738810fbf8f8 /pkgs/applications/networking/mailreaders | |
| parent | 303e0bca3b6a35a6d7843f0e68d20af40a34e890 (diff) | |
claws-mail: patch mailto handling
The "Mailto: Me Your Secrets"[0] paper describes vulnerabilities in multiple email clients regarding the undocumented "attach" field of a mailto URI. This might allow the inclusion of sensitive data in an outgoing email. Pull request #95758 addresses this issue on a more general level. Claws Mail unfortunately also has problems with mailto URIs[1][2]. Referring to the paper, problems for "attach" and "insert" were found and fixed. These patches, which are not included in a release yet, are hereby added. [0]:https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf [1]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4373 [2]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4374
Diffstat (limited to 'pkgs/applications/networking/mailreaders')
| -rw-r--r-- | pkgs/applications/networking/mailreaders/claws-mail/default.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/pkgs/applications/networking/mailreaders/claws-mail/default.nix b/pkgs/applications/networking/mailreaders/claws-mail/default.nix index a000cad4708c5..08acda3adb7b9 100644 --- a/pkgs/applications/networking/mailreaders/claws-mail/default.nix +++ b/pkgs/applications/networking/mailreaders/claws-mail/default.nix @@ -1,4 +1,4 @@ -{ config, fetchurl, stdenv, wrapGAppsHook, autoreconfHook +{ config, fetchurl, fetchpatch, stdenv, wrapGAppsHook, autoreconfHook , curl, dbus, dbus-glib, enchant, gtk2, gnutls, gnupg, gpgme , libarchive, libcanberra-gtk2, libetpan, libnotify, libsoup, libxml2, networkmanager , openldap, perl, pkgconfig, poppler, python, shared-mime-info @@ -39,7 +39,17 @@ stdenv.mkDerivation rec { outputs = [ "out" "dev" ]; - patches = [ ./mime.patch ]; + patches = [ + ./mime.patch + + # Backports a mitigation to the "mailto vulnerability". This patch is + # included in the next release and must therefore be removed. + (fetchpatch { + name = "fix-4373-4374.patch"; + url = "https://git.claws-mail.org/?p=claws.git;a=patch;h=4c9d15b4b37cdc57edfa16df550a0a881a156153"; + sha256 = "0sp0vxr6pk2fv5ydpcakb50rmn2w2nma98apgfsgcgan82qmwk7n"; + }) + ]; preConfigure = '' # autotools check tries to dlopen libpython as a requirement for the python plugin |