Troy Dawson wrote:
> A patch for the spec file too. :) Thank You. You are making it very easy to
> put in.
Don't mention it ;)
> I had just hoped that this latest errata had the fix in it.
> Have you filed this bug with the upstream vendor too?
Yes, of course:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242957
http://bugzilla.gnome.org/show_bug.cgi?id=444807
> Troy
--Oleg
> Oleg Sadov wrote:
> > Hi, Troy!
> >
> > No, the latest evolution-data-server update is not fix it. Only one new
> > patch (evolution-data-server-1.8.0-apop-auth-vulnerability.patch)
> > included to this one and just fix only APOP authentication security bug.
> >
> > I hope, our patches (attached) will be helpful.
> >
> > --Oleg
> >
> > Troy Dawson wrote:
> >> Hi Oleg,
> >> Did the latest release of the evolution-data-server fix this problem?
> >> Troy
> >>
> >> Troy Dawson wrote:
> >>> Hi Oleg,
> >>> I'm hoping that The Upstream Vendor know's about the problem so that it
> >>> get's fixed upstream. But I definatly like simple one line fixes. If
> >>> it looks like RedHat isn't going to put it in anytime soon, then we'll
> >>> put it in testing for a short time, then into errata.
> >>>
> >>> As for building it. we used the 1.4.8 version of m4. There was several
> >>> rpm's that wouldn't build without it. That isn't the version that we
> >>> shipped, but we thought we had put the src.rpm in our SRPMS/SL area so
> >>> that others could use it.
> >>> After checking we saw that it wasn't there, so Connie just put it up
> >>> there right now.
> >>> ftp://ftp.scientificlinux.org/linux/scientific/5x/SRPMS/SL/m4-1.4.8-1.src.rpm
> >>>
> >>>
> >>> Troy
> >>>
> >>> Oleg Sadov wrote:
> >>>> At Sunday Time we spent a lot of time for testing of desktop environment
> >>>> in a fresh installation from SL50 and was slightly frustrated by
> >>>> crushing of Evolution during startup. In CentOS Evolution started
> >>>> without problems (but it has version 2.8.0-33, not 2.8.0-33.0.1).
> >>>>
> >>>> Further analisys shows dependency of this problem of last evolution-
> >>>> data-server timezone description changes. This bug may be reproduced by
> >>>> setting TZ environment variable, for example:
> >>>>
> >>>> TZ=Europe/Moscow evolution
> >>>>
> >>>> Some of bug-sensitive timezones:
> >>>> Russia -- Europe/Moscow, Europe/Volgograd, Asia/Irkutsk
> >>>> Indonesia -- Asia/Makassar, Asia/Ujung_Pandang
> >>>> Mongolia -- Asia/Ulaanbaatar, Asia/Ulan_Bator
> >>>>
> >>>> After looking to backtrace & source code debugging I found the root of
> >>>> evil -- into the last changes of data-server zoneinfo descriptions
> >>>> (evolution-data-server-1.8.0-updated-zoneinfo.patch) removed TZNAME tags
> >>>> from Australia/Perth.ics and Asia/Jerusalem.ics. As a consequence --
> >>>> NULL pointer for TZ name string references, string comparison with NULL
> >>>> pointers an so on...
> >>>>
> >>>> Because, evolution-data-server is important infrastructure component not
> >>>> only for Evolution, but for some other GNOME components too, I think,
> >>>> this problem must be resolved. Given above, we have three ways for that:
> >>>> 1) quick&dirty -- setting up corresponding UTC-relative TZ (not exactly
> >>>> equivalent) or starting of evolution with --disable-eplugin option
> >>>> 2) orthodox -- downgrading of evolution-data-server package, or setting
> >>>> up TZNAME tags in Australia/Perth and Asia/Jerusalem timezones
> >>>> 3) hackers way -- source patching by single line of code (the patch is
> >>>> attached)
> >>>>
> >>>> Of course, further testing will be helpfull and, may be, escalating this
> >>>> problem to the upstream vendor will be reasonably.
> >>>>
> >>>> Apropos, Connie or/and Troy, which procedure was used for evolution-
> >>>> data-server package building? My rpmbuild on SL50 was finished with some
> >>>> error messages:
> >>>>
> >>>> ==================================================
> >>>> + aclocal
> >>>> configure.in:706: /usr/bin/m4: builtin `mkstemp' requested by frozen
> >>>> file is not supported
> >>>> autom4te: /usr/bin/m4 failed with exit status: 1
> >>>> aclocal: autom4te failed with exit status: 1
> >>>> ==================================================
> >>>>
> >>>> Seems like your package built by previous version of automake tool box.
> >>>> Package was rebuilded on SL50 only after removing `mkstemp' function
> >>>> checking directive in a line 706 of configure.in.
> >>>>
> >>>> --Oleg
> >>>>
> >>>>
> >>>> ------------------------------------------------------------------------
> >>>>
> >>>> ---
> >>>> evolution-data-server-1.8.0/calendar/libical/src/libical/icaltimezone.c.orig
> >>>> 2007-05-25 01:20:43.000000000 +0400
> >>>> +++
> >>>> evolution-data-server-1.8.0/calendar/libical/src/libical/icaltimezone.c
> >>>> 2007-05-25 01:23:01.000000000 +0400
> >>>> @@ -1433,6 +1433,8 @@
> >>>>
> >>>> z_offset = get_offset(zone);
> >>>>
> >>>> + if (zone->tznames == NULL) continue;
> >>>> +
> >>>> if (z_offset == offset && !strcmp(tzname, zone->tznames))
> >>>> return zone;
> >>>> }
> >>>
> >>
> >> --
> >> __________________________________________________
> >> Troy Dawson [log in to unmask] (630)840-6468
> >> Fermilab ComputingDivision/LCSI/CSI DSS Group
> >> __________________________________________________
> >>
> >> ------------------------------------------------------------------------
> >>
> >> --- evolution-data-server-1.8.0/calendar/libical/src/libical/icaltimezone.c.orig 2007-05-25 01:20:43.000000000 +0400
> >> +++ evolution-data-server-1.8.0/calendar/libical/src/libical/icaltimezone.c 2007-05-25 01:23:01.000000000 +0400
> >> @@ -1433,6 +1433,8 @@
> >>
> >> z_offset = get_offset(zone);
> >>
> >> + if (zone->tznames == NULL) continue;
> >> +
> >> if (z_offset == offset && !strcmp(tzname, zone->tznames))
> >> return zone;
> >> }
> >>
> >> ------------------------------------------------------------------------
> >>
> >> --- evolution-data-server.spec 2007-05-01 21:05:48.000000000 +0400
> >> +++ evolution-data-server-1.8.0-15.0.3.1.spec 2007-06-07 13:33:39.000000000 +0400
> >> @@ -25,7 +25,7 @@
> >>
> >> Name: evolution-data-server
> >> Version: 1.8.0
> >> -Release: 15.0.3%{?dist}
> >> +Release: 15.0.3.1%{?dist}
> >> License: LGPL
> >> Group: System Environment/Libraries
> >> Summary: Backend data server for Evolution
> >> @@ -87,6 +87,9 @@
> >> # RH bug #235290 / GNOME bug #424373
> >> Patch28: evolution-data-server-1.8.0-apop-auth-vulnerability.patch
> >>
> >> +# zone->tznames NULL pointer crash fix (ICS decsription without TZNAME tag)
> >> +Patch100: evolution-data-server-1.8.0-fix-timezone-crash.patch
> >> +
> >> ### Dependencies ###
> >>
> >> Requires: GConf2
> >> @@ -184,6 +187,7 @@
> >> %patch26 -p1 -b .emsgport-fix
> >> %patch27 -p1 -b .updated-zoneinfo
> >> %patch28 -p1 -b .apop-auth-vulnerability
> >> +%patch100 -p1 -b .icaltimezone
> >>
> >> mkdir -p krb5-fakeprefix/include
> >> mkdir -p krb5-fakeprefix/lib
> >> @@ -401,6 +405,9 @@
> >> %{_libdir}/pkgconfig/libexchange-storage-%{eds_api_version}.pc
> >>
> >> %changelog
> >> +* Thu May 25 2007 Oleg Sadov <sadov at linux-ink dot ru> - 1.8.0-15.0.3.1.sl5
> >> +- Fixed NULL-pointer tznames crash for timezone ICS VCARDs without TZNAME tag.
> >> +
> >> * Tue May 01 2007 Matthew Barnes <[log in to unmask]> - 1.8.0-15.0.3.el5
> >> - Add patch for RH bug #235289 (APOP authentication vulnerability).
> >>
>
>
|