Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=1f2ba47cf4cb132cbdbedaf089440cc293a286a3
commit 1f2ba47cf4cb132cbdbedaf089440cc293a286a3 Author: Miklos Vajna <vmik...@frugalware.org> Date: Tue Apr 27 13:33:45 2010 +0200 fetchmail-6.3.16-1-i686 - version bump - add CVE-2010-1167.patch diff --git a/source/network/fetchmail/CVE-2010-1167.patch b/source/network/fetchmail/CVE-2010-1167.patch new file mode 100644 index 0000000..404207a --- /dev/null +++ b/source/network/fetchmail/CVE-2010-1167.patch @@ -0,0 +1,340 @@ +From ec06293134b85876f9201d8a52b844c41581b2b3 Mon Sep 17 00:00:00 2001 +From: Matthias Andree <matthias.and...@gmx.de> +Date: Sun, 18 Apr 2010 18:01:38 +0200 +Subject: [PATCH] SECURITY FIX: DoS on EILSEQ in report_*() in -vv and multibyte-locales. + +--- + Makefile.am | 1 + + NEWS | 8 ++ + fetchmail-SA-2010-02.txt | 209 ++++++++++++++++++++++++++++++++++++++++++++++ + rfc822.c | 17 +++-- + uid.c | 22 ++++-- + 5 files changed, 245 insertions(+), 12 deletions(-) + create mode 100644 fetchmail-SA-2010-02.txt + +diff --git a/Makefile.am b/Makefile.am +index 900ea59..de4e446 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -126,6 +126,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ + fetchmail-features.html README.SSL README.NTLM \ + README.packaging README.SSL-SERVER \ + fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ ++ fetchmail-SA-2010-02.txt \ + fetchmail-SA-2010-01.txt \ + fetchmail-SA-2009-01.txt \ + fetchmail-SA-2008-01.txt \ +diff --git a/fetchmail-SA-2010-02.txt b/fetchmail-SA-2010-02.txt +new file mode 100644 +index 0000000..3e2e33b +--- /dev/null ++++ b/fetchmail-SA-2010-02.txt +@@ -0,0 +1,209 @@ ++- DRAFT - XXX - DRAFT - ++ ++fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales ++ ++Topics: Denial of service in debug output. ++ ++Author: Matthias Andree ++Version: 0.1 XXX ++Announced: XXX ++Type: malloc() Buffer overrun with printable characters ++Impact: Denial of service. ++Danger: low ++ ++CVE Name: CVE-2010-XXXX ++CVSSv2: XXX ++URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt ++Project URL: http://www.fetchmail.info/ ++ ++Affects: fetchmail releases 4.6.3 up to and including 6.3.16 ++ ++Not affected: fetchmail release 6.3.17 and newer ++ ++Corrected: 2010-04-18 Git (XXX) ++ ++ ++0. Release history ++================== ++ ++2010-04-18 0.1 first draft (visible in SVN and through oss-security) ++XXX ++ ++ ++1. Background ++============= ++ ++fetchmail is a software package to retrieve mail from remote POP2, POP3, ++IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or ++message delivery agents. It supports SSL and TLS security layers through ++the OpenSSL library, if enabled at compile time and if also enabled at ++run time. ++ ++ ++2. Problem description and Impact ++================================= ++ ++In debug mode (-v -v), fetchmail prints information that was obtained from the ++upstream server (POP3 UIDL lists) or from message headers retrieved from it. ++ If printing such information fails, for instance because there are invalid ++multibyte character sequences in this information (message headers), fetchmail ++will misinterpret this condition, and believe that the buffer was too small, ++and reallocate a bigger one (with linearly increasing buffer size), and repeat, ++until the allocation fails. At that point, fetchmail will abort. ++ ++Note that the "Affects:" line above may be inaccurate, and it may be that ++versions before 5.6.6 are actually unaffected. The author was unable to ++compile such old fetchmail versions to verify the existence of the bug. ++ Given that other security issues are present in such versions, those should ++not be used, and the wider version range was listed as vulnerable to err ++towards the safe. ++ ++ ++3. Solution ++=========== ++ ++There are two alternatives, either of them by itself is sufficient: ++ ++a. Apply the patch found in section B of this announcement to ++ fetchmail 6.3.14 or newer, recompile and reinstall it. ++ ++b. Install fetchmail 6.3.17 or newer after it will have become available. ++ The fetchmail source code is always available from ++ <http://developer.berlios.de/project/showfiles.php?group_id=1824>. ++ ++ ++4. Workaround ++============= ++ ++Run fetchmail with at most one -v (--verbose) option. ++ ++ ++A. Copyright, License and Warranty ++================================== ++ ++(C) Copyright 2010 by Matthias Andree, <matthias.and...@gmx.de>. ++Some rights reserved. ++ ++This work is licensed under the Creative Commons ++Attribution-Noncommercial-No Derivative Works 3.0 Germany License. ++To view a copy of this license, visit ++http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to ++ ++Creative Commons ++171 Second Street ++Suite 300 ++SAN FRANCISCO, CALIFORNIA 94105 ++USA ++ ++ ++THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. ++Use the information herein at your own risk. ++ ++ ++B. Patch to remedy the problem ++============================== ++ ++Note that when taking this from a GnuPG clearsigned file, the lines ++starting with a "-" character are prefixed by another "- " (dash + ++blank) combination. Either feed this file through GnuPG to strip them, ++or strip them manually. You may want to use the "-p1" flag to patch. ++ ++Whitespace differences can usually be ignored by invoking "patch -l", ++so try this if the patch does not apply. ++ ++diff --git a/rfc822.c b/rfc822.c ++index 6f2dbf3..dbcda32 100644 ++--- a/rfc822.c +++++ b/rfc822.c ++@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator. ++ #include <stdlib.h> ++ ++ #include "fetchmail.h" +++#include "sdump.h" ++ ++ #ifndef MAIN ++ #include "i18n.h" ++@@ -74,9 +75,10 @@ char *reply_hack( ++ } ++ ++ #ifndef MAIN ++- if (outlevel >= O_DEBUG) ++- report_build(stdout, GT_("About to rewrite %.*s...\n"), ++- (int)BEFORE_EOL(buf), buf); +++ if (outlevel >= O_DEBUG) { +++ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf)))); +++ xfree(cp); +++ } ++ ++ /* make room to hack the address; buf must be malloced */ ++ for (cp = buf; *cp; cp++) ++@@ -211,9 +213,12 @@ char *reply_hack( ++ } ++ ++ #ifndef MAIN ++- if (outlevel >= O_DEBUG) ++- report_complete(stdout, GT_("...rewritten version is %.*s.\n"), ++- (int)BEFORE_EOL(buf), buf); +++ if (outlevel >= O_DEBUG) { +++ report_complete(stdout, GT_("...rewritten version is %s.\n"), +++ (cp = sdump(buf, BEFORE_EOL(buf)))); +++ xfree(cp) +++ } +++ ++ #endif /* MAIN */ ++ *length = strlen(buf); ++ return(buf); ++diff --git a/uid.c b/uid.c ++index fdc6f5d..d813bee 100644 ++--- a/uid.c +++++ b/uid.c ++@@ -20,6 +20,7 @@ ++ ++ #include "fetchmail.h" ++ #include "i18n.h" +++#include "sdump.h" ++ ++ /* ++ * Machinery for handling UID lists live here. This is mainly to support ++@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile) ++ if (uidlcount) ++ { ++ report_build(stdout, GT_("Scratch list of UIDs:")); ++- for (idp = scratchlist; idp; idp = idp->next) ++- report_build(stdout, " %s", idp->id); +++ for (idp = scratchlist; idp; idp = idp->next) { +++ char *t = sdump(idp->id, strlen(idp->id)); +++ report_build(stdout, " %s", t); +++ free(t); +++ } ++ if (!idp) ++ report_build(stdout, GT_(" <empty>")); ++ report_complete(stdout, "\n"); ++@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl) ++ report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); ++ else ++ report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname); ++- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) ++- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); +++ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) { +++ char *t = sdump(idp->id, strlen(idp->id)); +++ report_build(stdout, " %s = %d", t, idp->val.status.mark); +++ free(t); +++ } ++ if (!idp) ++ report_build(stdout, GT_(" <empty>")); ++ report_complete(stdout, "\n"); ++@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl) ++ /* this is now a merged list! the mails which were seen in this ++ * poll are marked here. */ ++ report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); ++- for (idp = ctl->oldsaved; idp; idp = idp->next) ++- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); +++ for (idp = ctl->oldsaved; idp; idp = idp->next) { +++ char *t = sdump(idp->id, strlen(idp->id)); +++ report_build(stdout, " %s = %d", t, idp->val.status.mark); +++ free(t); +++ } ++ if (!idp) ++ report_build(stdout, GT_(" <empty>")); ++ report_complete(stdout, "\n"); +diff --git a/rfc822.c b/rfc822.c +index 6f2dbf3..dbcda32 100644 +--- a/rfc822.c ++++ b/rfc822.c +@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator. + #include <stdlib.h> + + #include "fetchmail.h" ++#include "sdump.h" + + #ifndef MAIN + #include "i18n.h" +@@ -74,9 +75,10 @@ char *reply_hack( + } + + #ifndef MAIN +- if (outlevel >= O_DEBUG) +- report_build(stdout, GT_("About to rewrite %.*s...\n"), +- (int)BEFORE_EOL(buf), buf); ++ if (outlevel >= O_DEBUG) { ++ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf)))); ++ xfree(cp); ++ } + + /* make room to hack the address; buf must be malloced */ + for (cp = buf; *cp; cp++) +@@ -211,9 +213,12 @@ char *reply_hack( + } + + #ifndef MAIN +- if (outlevel >= O_DEBUG) +- report_complete(stdout, GT_("...rewritten version is %.*s.\n"), +- (int)BEFORE_EOL(buf), buf); ++ if (outlevel >= O_DEBUG) { ++ report_complete(stdout, GT_("...rewritten version is %s.\n"), ++ (cp = sdump(buf, BEFORE_EOL(buf)))); ++ xfree(cp) ++ } ++ + #endif /* MAIN */ + *length = strlen(buf); + return(buf); +diff --git a/uid.c b/uid.c +index fdc6f5d..d813bee 100644 +--- a/uid.c ++++ b/uid.c +@@ -20,6 +20,7 @@ + + #include "fetchmail.h" + #include "i18n.h" ++#include "sdump.h" + + /* + * Machinery for handling UID lists live here. This is mainly to support +@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile) + if (uidlcount) + { + report_build(stdout, GT_("Scratch list of UIDs:")); +- for (idp = scratchlist; idp; idp = idp->next) +- report_build(stdout, " %s", idp->id); ++ for (idp = scratchlist; idp; idp = idp->next) { ++ char *t = sdump(idp->id, strlen(idp->id)); ++ report_build(stdout, " %s", t); ++ free(t); ++ } + if (!idp) + report_build(stdout, GT_(" <empty>")); + report_complete(stdout, "\n"); +@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl) + report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); + else + report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname); +- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) +- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); ++ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) { ++ char *t = sdump(idp->id, strlen(idp->id)); ++ report_build(stdout, " %s = %d", t, idp->val.status.mark); ++ free(t); ++ } + if (!idp) + report_build(stdout, GT_(" <empty>")); + report_complete(stdout, "\n"); +@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl) + /* this is now a merged list! the mails which were seen in this + * poll are marked here. */ + report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); +- for (idp = ctl->oldsaved; idp; idp = idp->next) +- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); ++ for (idp = ctl->oldsaved; idp; idp = idp->next) { ++ char *t = sdump(idp->id, strlen(idp->id)); ++ report_build(stdout, " %s = %d", t, idp->val.status.mark); ++ free(t); ++ } + if (!idp) + report_build(stdout, GT_(" <empty>")); + report_complete(stdout, "\n"); +-- +1.6.1 + diff --git a/source/network/fetchmail/FrugalBuild b/source/network/fetchmail/FrugalBuild index b0f2c28..39a8f98 100644 --- a/source/network/fetchmail/FrugalBuild +++ b/source/network/fetchmail/FrugalBuild @@ -2,7 +2,7 @@ # Maintainer: Janos Kovacs <ja...@frugalware.org> pkgname=fetchmail -pkgver=6.3.13 +pkgver=6.3.16 pkgrel=1 pkgdesc="A remote-mail retrieval and forwarding utility." _F_berlios_ext=".tar.bz2" @@ -11,7 +11,9 @@ url="http://catb.org/~esr/fetchmail/"; depends=('openssl') groups=('network') archs=('i686' 'x86_64') -sha1sums=('930cf3aae54108572b1c695c75dd14cf865f5d16') +source=($source CVE-2010-1167.patch) +sha1sums=('76e396b2469f9696b66a99fa397cf468652d239e' \ + '261c6d40b24dad57260e22d119c7e6c91ab9d797') confpkg=fetchmailconf subpkgs=('fetchmailconf') _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git
