From: David Bremner Date: Sat, 4 Feb 2012 17:01:46 +0000 (-0500) Subject: Merge commit '0.11.1' X-Git-Tag: debian/0.12_rc1-1~120 X-Git-Url: https://git.notmuchmail.org/git?p=notmuch;a=commitdiff_plain;h=d43f6c00b351424e903c2f2b71c34bc5902b467e;hp=8281430558c1b2eafc847620cd84f5ce40bf6741 Merge commit '0.11.1' Conflicts: NEWS bindings/python/notmuch/database.py bindings/python/notmuch/message.py notmuch.1 NEWS merged by hand, others taken from master. --- diff --git a/NEWS b/NEWS index 2acdce56..5c5b6458 100644 --- a/NEWS +++ b/NEWS @@ -56,6 +56,30 @@ Compatibility with GMime 2.6 However, a bug in current GMime 2.6 causes notmuch not to report signatures where the signer key is unavailable (GNOME bug 668085). +Notmuch 0.11.1 (2012-02-03) +=========================== + +Bug-fix release. +---------------- + +Fix error handling in python bindings. + + The python bindings in 0.11 failed to detect NULL pointers being + returned from libnotmuch functions and thus failed to raise + exceptions to indicate the error condition. Any subsequent calls + into libnotmuch caused segmentation faults. + +Quote MML tags in replies + + MML tags are text codes that Emacs uses to indicate attachments + (among other things) in messages being composed. The Emacs + interface did not quote MML tags in the quoted text of a reply. + User could be tricked into replying to a maliciously formatted + message and not editing out the MML tags from the quoted text. This + could lead to files from the user's machine being attached to the + outgoing message. The Emacs interface now quotes these tags in + reply text, so that they do not effect outgoing messages. + Notmuch 0.11 (2012-01-13) ========================= diff --git a/bindings/python/notmuch/version.py b/bindings/python/notmuch/version.py index 59c396fe..ed40e7f8 100644 --- a/bindings/python/notmuch/version.py +++ b/bindings/python/notmuch/version.py @@ -1,2 +1,2 @@ # this file should be kept in sync with ../../../version -__VERSION__ = '0.11' +__VERSION__ = '0.11.1' diff --git a/debian/changelog b/debian/changelog index 26fff874..fad531ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +notmuch (0.11.1-1) unstable; urgency=low + + * Upstream bugfix release + - Fix error handling bug in python bindings + - Fix vulnerability in emacs reply handling + + -- David Bremner Fri, 03 Feb 2012 08:35:41 -0400 + notmuch (0.11-1) unstable; urgency=low * New upstream release. diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el index 023645e3..c07b67ba 100644 --- a/emacs/notmuch-mua.el +++ b/emacs/notmuch-mua.el @@ -116,7 +116,12 @@ list." (push-mark)) (set-buffer-modified-p nil) - (message-goto-body)) + (message-goto-body) + ;; Original message may contain (malicious) MML tags. We must + ;; properly quote them in the reply. Note that using `point-max' + ;; instead of `mark' here is wrong. The buffer may include user's + ;; signature which should not be MML-quoted. + (mml-quote-region (point) (point-max))) (defun notmuch-mua-forward-message () (message-forward) diff --git a/test/emacs b/test/emacs index 8ca4c8a5..f4a5c816 100755 --- a/test/emacs +++ b/test/emacs @@ -273,6 +273,26 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite w EOF test_expect_equal_file OUTPUT EXPECTED +test_begin_subtest "Quote MML tags in reply" +message_id='test-emacs-mml-quoting@message.id' +add_message [id]="$message_id" \ + "[subject]='$test_subtest_name'" \ + '[body]="<#part disposition=inline>"' +test_emacs "(notmuch-show \"id:$message_id\") + (notmuch-show-reply) + (test-output)" +cat <EXPECTED +From: Notmuch Test Suite +To: +Subject: Re: Quote MML tags in reply +In-Reply-To: +Fcc: ${MAIL_DIR}/sent +--text follows this line-- +On Tue, 05 Jan 2001 15:43:57 -0000, Notmuch Test Suite wrote: +> <#!part disposition=inline> +EOF +test_expect_equal_file OUTPUT EXPECTED + test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments" # save as archive to test that Emacs does not re-compress .gz test_emacs '(let ((standard-input "\"attachment1.gz\"")) diff --git a/version b/version index 51176c7c..af88ba82 100644 --- a/version +++ b/version @@ -1 +1 @@ -0.11 +0.11.1