diff options
-rw-r--r-- | NEWS | 24 | ||||
-rw-r--r-- | bindings/python/notmuch/version.py | 2 | ||||
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | emacs/notmuch-mua.el | 7 | ||||
-rwxr-xr-x | test/emacs | 20 | ||||
-rw-r--r-- | version | 2 |
6 files changed, 60 insertions, 3 deletions
@@ -56,6 +56,30 @@ Compatibility with GMime 2.6 However, a bug in current GMime 2.6 causes notmuch not to report signatures where the signer key is unavailable (GNOME bug 668085). +Notmuch 0.11.1 (2012-02-03) +=========================== + +Bug-fix release. +---------------- + +Fix error handling in python bindings. + + The python bindings in 0.11 failed to detect NULL pointers being + returned from libnotmuch functions and thus failed to raise + exceptions to indicate the error condition. Any subsequent calls + into libnotmuch caused segmentation faults. + +Quote MML tags in replies + + MML tags are text codes that Emacs uses to indicate attachments + (among other things) in messages being composed. The Emacs + interface did not quote MML tags in the quoted text of a reply. + User could be tricked into replying to a maliciously formatted + message and not editing out the MML tags from the quoted text. This + could lead to files from the user's machine being attached to the + outgoing message. The Emacs interface now quotes these tags in + reply text, so that they do not effect outgoing messages. + Notmuch 0.11 (2012-01-13) ========================= diff --git a/bindings/python/notmuch/version.py b/bindings/python/notmuch/version.py index 59c396fe..ed40e7f8 100644 --- a/bindings/python/notmuch/version.py +++ b/bindings/python/notmuch/version.py @@ -1,2 +1,2 @@ # this file should be kept in sync with ../../../version -__VERSION__ = '0.11' +__VERSION__ = '0.11.1' diff --git a/debian/changelog b/debian/changelog index 26fff874..fad531ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +notmuch (0.11.1-1) unstable; urgency=low + + * Upstream bugfix release + - Fix error handling bug in python bindings + - Fix vulnerability in emacs reply handling + + -- David Bremner <bremner@debian.org> Fri, 03 Feb 2012 08:35:41 -0400 + notmuch (0.11-1) unstable; urgency=low * New upstream release. diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el index 023645e3..c07b67ba 100644 --- a/emacs/notmuch-mua.el +++ b/emacs/notmuch-mua.el @@ -116,7 +116,12 @@ list." (push-mark)) (set-buffer-modified-p nil) - (message-goto-body)) + (message-goto-body) + ;; Original message may contain (malicious) MML tags. We must + ;; properly quote them in the reply. Note that using `point-max' + ;; instead of `mark' here is wrong. The buffer may include user's + ;; signature which should not be MML-quoted. + (mml-quote-region (point) (point-max))) (defun notmuch-mua-forward-message () (message-forward) @@ -273,6 +273,26 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w EOF test_expect_equal_file OUTPUT EXPECTED +test_begin_subtest "Quote MML tags in reply" +message_id='test-emacs-mml-quoting@message.id' +add_message [id]="$message_id" \ + "[subject]='$test_subtest_name'" \ + '[body]="<#part disposition=inline>"' +test_emacs "(notmuch-show \"id:$message_id\") + (notmuch-show-reply) + (test-output)" +cat <<EOF >EXPECTED +From: Notmuch Test Suite <test_suite@notmuchmail.org> +To: +Subject: Re: Quote MML tags in reply +In-Reply-To: <test-emacs-mml-quoting@message.id> +Fcc: ${MAIL_DIR}/sent +--text follows this line-- +On Tue, 05 Jan 2001 15:43:57 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote: +> <#!part disposition=inline> +EOF +test_expect_equal_file OUTPUT EXPECTED + test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments" # save as archive to test that Emacs does not re-compress .gz test_emacs '(let ((standard-input "\"attachment1.gz\"")) @@ -1 +1 @@ -0.11 +0.11.1 |