From 62eed9ab29ab21b9e89a5519f85b6216e646d32c Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 19 Aug 2020 14:29:23 +0200 Subject: [PATCH] claws-mail: patch mailto handling The "Mailto: Me Your Secrets"[0] paper describes vulnerabilities in multiple email clients regarding the undocumented "attach" field of a mailto URI. This might allow the inclusion of sensitive data in an outgoing email. Pull request #95758 addresses this issue on a more general level. Claws Mail unfortunately also has problems with mailto URIs[1][2]. Referring to the paper, problems for "attach" and "insert" were found and fixed. These patches, which are not included in a release yet, are hereby added. [0]:https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf [1]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4373 [2]:https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4374 --- .../networking/mailreaders/claws-mail/default.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/mailreaders/claws-mail/default.nix b/pkgs/applications/networking/mailreaders/claws-mail/default.nix index a000cad4708..08acda3adb7 100644 --- a/pkgs/applications/networking/mailreaders/claws-mail/default.nix +++ b/pkgs/applications/networking/mailreaders/claws-mail/default.nix @@ -1,4 +1,4 @@ -{ config, fetchurl, stdenv, wrapGAppsHook, autoreconfHook +{ config, fetchurl, fetchpatch, stdenv, wrapGAppsHook, autoreconfHook , curl, dbus, dbus-glib, enchant, gtk2, gnutls, gnupg, gpgme , libarchive, libcanberra-gtk2, libetpan, libnotify, libsoup, libxml2, networkmanager , openldap, perl, pkgconfig, poppler, python, shared-mime-info @@ -39,7 +39,17 @@ stdenv.mkDerivation rec { outputs = [ "out" "dev" ]; - patches = [ ./mime.patch ]; + patches = [ + ./mime.patch + + # Backports a mitigation to the "mailto vulnerability". This patch is + # included in the next release and must therefore be removed. + (fetchpatch { + name = "fix-4373-4374.patch"; + url = "https://git.claws-mail.org/?p=claws.git;a=patch;h=4c9d15b4b37cdc57edfa16df550a0a881a156153"; + sha256 = "0sp0vxr6pk2fv5ydpcakb50rmn2w2nma98apgfsgcgan82qmwk7n"; + }) + ]; preConfigure = '' # autotools check tries to dlopen libpython as a requirement for the python plugin