mail-client/sylpheed: fix CVE-2021-37746

Bug: https://bugs.gentoo.org/805338
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Akinori Hattori <hattya@gentoo.org>

2 files changed, 108 insertions, 0 deletions

diff --git a/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch b/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch
new file mode 100644
index 000000000000..47a6f078e824
--- /dev/null
+++ b/mail-client/sylpheed/files/sylpheed-CVE-2021-37746.patch
@@ -0,0 +1,39 @@
+https://src.fedoraproject.org/rpms/sylpheed/blob/rawhide/f/sylpheed-3.7.0-uri-check.patch
+
+From 4d7dfe055673b49391af66f45643bc956799a4ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 2 Aug 2021 12:04:42 +0200
+Subject: [PATCH] harden link checker before accepting click
+
+http://git.claws-mail.org/?p=claws.git;a=commitdiff_plain;h=ac286a71ed78429e16c612161251b9ea90ccd431;hp=a4a629ce824011f5ae3f0b8cb1117f9608b7f5ad
+
+Resolves: CVE-2021-37746
+---
+ src/textview.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/textview.c b/src/textview.c
+index e55eea9e..6fbb8a1d 100644
+--- a/src/textview.c
++++ b/src/textview.c
+@@ -2689,7 +2689,7 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri)
+ 	gboolean retval = TRUE;
+ 
+ 	if (is_uri_string(uri->uri) == FALSE)
+-		return TRUE;
++		return FALSE;
+ 
+ 	buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(textview->text));
+ 	gtk_text_buffer_get_iter_at_offset(buffer, &start_iter, uri->start);
+@@ -2725,6 +2725,8 @@ static gboolean textview_uri_security_check(TextView *textview, RemoteURI *uri)
+ 		if (aval == G_ALERTDEFAULT)
+ 			retval = TRUE;
+ 	}
++	if (strlen(uri->uri) > get_uri_len(uri->uri))
++		retval = FALSE;
+ 
+ 	g_free(visible_str);
+ 
+-- 
+2.31.1
+
diff --git a/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild b/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild
new file mode 100644
index 000000000000..e305207ab055
--- /dev/null
+++ b/mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+inherit desktop xdg
+
+DESCRIPTION="A lightweight email client and newsreader"
+HOMEPAGE="http://sylpheed.sraoss.jp/"
+SRC_URI="http://${PN}.sraoss.jp/${PN}/v${PV%.*}/${P}.tar.bz2"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+IUSE="crypt ipv6 ldap nls oniguruma spell ssl xface"
+
+CDEPEND="net-libs/liblockfile
+	x11-libs/gtk+:2
+	crypt? ( app-crypt/gpgme:= )
+	ldap? ( net-nds/openldap:= )
+	nls? ( sys-devel/gettext )
+	oniguruma? ( dev-libs/oniguruma:= )
+	spell? (
+		app-text/gtkspell:2
+		dev-libs/dbus-glib
+	)
+	ssl? ( dev-libs/openssl:0= )"
+RDEPEND="${CDEPEND}
+	app-misc/mime-types
+	net-misc/curl"
+DEPEND="${CDEPEND}
+	xface? ( media-libs/compface )"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-tls-1.3.patch
+	"${FILESDIR}"/${PN}-CVE-2021-37746.patch
+)
+DOCS="AUTHORS ChangeLog* NEW* PLUGIN* README* TODO*"
+
+src_configure() {
+	local htmldir="${EPREFIX}"/usr/share/doc/${PF}/html
+	econf \
+		$(use_enable crypt gpgme) \
+		$(use_enable ipv6) \
+		$(use_enable ldap) \
+		$(use_enable oniguruma) \
+		$(use_enable spell gtkspell) \
+		$(use_enable ssl) \
+		$(use_enable xface compface) \
+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/${PN}/plugins \
+		--with-manualdir="${htmldir}"/manual \
+		--with-faqdir="${htmldir}"/faq \
+		--disable-updatecheck
+}
+
+src_install() {
+	default
+
+	doicon *.png
+	domenu *.desktop
+
+	cd plugin/attachment_tool
+	emake DESTDIR="${D}" install-plugin
+	docinto plugin/attachment_tool
+	dodoc README
+
+	find "${ED}" -name '*.la' -delete || die
+}