diff -u sylpheed-claws-gtk2-2.1.1/debian/patches/00list sylpheed-claws-gtk2-2.1.1/debian/patches/00list --- sylpheed-claws-gtk2-2.1.1/debian/patches/00list +++ sylpheed-claws-gtk2-2.1.1/debian/patches/00list @@ -3,0 +4 @@ +12security_2.10.0cvs153.dpatch diff -u sylpheed-claws-gtk2-2.1.1/debian/changelog sylpheed-claws-gtk2-2.1.1/debian/changelog --- sylpheed-claws-gtk2-2.1.1/debian/changelog +++ sylpheed-claws-gtk2-2.1.1/debian/changelog @@ -1,3 +1,15 @@ +sylpheed-claws-gtk2 (2.1.1-1ubuntu1.1) dapper-security; urgency=low + + * SECURITY UPDATE: a format string error could lead to arbitrary + code execution. + * Add 'debian/patches/12security_2.10.0cvs153.dpatch': add format string to + alertpanel_error_log() call. Patch from upstream CVS. (Fixes LP: #136302) + * References + http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153&view=src/inc.c + CVE-2007-2958 + + -- Cesare Tirabassi Thu, 06 Sep 2007 18:09:23 +0200 + sylpheed-claws-gtk2 (2.1.1-1ubuntu1) dapper; urgency=low * Fixes FTBS only in patch2: unchanged: --- sylpheed-claws-gtk2-2.1.1.orig/debian/patches/12security_2.10.0cvs153.dpatch +++ sylpheed-claws-gtk2-2.1.1/debian/patches/12security_2.10.0cvs153.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 12security_2.10.0cvs153.dpatch by Cesare Tirabassi +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: SECURITY UPDATE: a format string error could lead to arbitrary +## DP: code execution. +## DP: http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153&view=src/inc.c + +@DPATCH@ +diff -urNad sylpheed-claws-gtk2-2.1.1~/src/inc.c sylpheed-claws-gtk2-2.1.1/src/inc.c +--- sylpheed-claws-gtk2-2.1.1~/src/inc.c 2006-04-17 07:21:01.000000000 +0200 ++++ sylpheed-claws-gtk2-2.1.1/src/inc.c 2007-09-06 18:07:37.000000000 +0200 +@@ -1178,7 +1178,7 @@ + log_warning("%s\n", log_msg); + } + if (err_msg) { +- alertpanel_error_log(err_msg); ++ alertpanel_error_log("%s", err_msg); + g_free(err_msg);