pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mail/fetchmail Include patch for fetchmail 6.2.5.2 bec...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/dafe40d28057
branches:  trunk
changeset: 497217:dafe40d28057
user:      frueauf <frueauf%pkgsrc.org@localhost>
date:      Fri Jul 22 14:27:52 2005 +0000

description:
Include patch for fetchmail 6.2.5.2 because of CAN-2005-2335.
For more details have a look at
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt

Changes listed within the NEWS file since 6.2.5:

fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):

* NOTE: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX: truncate UIDL replies, lest malicious or compromised
  POP3 servers overflow fetchmail's stack. Debian bug #212762.
  This is a remote root exploit. CVE Name: CAN-2005-2335.
  Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
  Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user%example.org@localhost>,
  as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.

diffstat:

 mail/fetchmail/Makefile         |    4 +-
 mail/fetchmail/distinfo         |    3 +-
 mail/fetchmail/patches/patch-ag |  184 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 188 insertions(+), 3 deletions(-)

diffs (215 lines):

diff -r 45b275546d0a -r dafe40d28057 mail/fetchmail/Makefile
--- a/mail/fetchmail/Makefile   Fri Jul 22 14:12:22 2005 +0000
+++ b/mail/fetchmail/Makefile   Fri Jul 22 14:27:52 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.152 2005/05/22 21:04:41 jlam Exp $
+# $NetBSD: Makefile,v 1.153 2005/07/22 14:27:52 frueauf Exp $
 
 DISTNAME=      fetchmail-6.2.5
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    mail
 MASTER_SITES=  http://www.catb.org/~esr/fetchmail/ \
                http://sunsite.unc.edu/pub/Linux/system/mail/pop/
diff -r 45b275546d0a -r dafe40d28057 mail/fetchmail/distinfo
--- a/mail/fetchmail/distinfo   Fri Jul 22 14:12:22 2005 +0000
+++ b/mail/fetchmail/distinfo   Fri Jul 22 14:27:52 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2005/04/21 11:13:18 frueauf Exp $
+$NetBSD: distinfo,v 1.31 2005/07/22 14:27:52 frueauf Exp $
 
 SHA1 (fetchmail-6.2.5.tar.gz) = 4656ec4393ccd1c137fe7b331f77cb26b576ac0e
 RMD160 (fetchmail-6.2.5.tar.gz) = e32b91a959d0e80c4bd45a8758811cbe95a98180
@@ -9,3 +9,4 @@
 SHA1 (patch-ad) = b6bffc59f28992fa0d3de0f9dad250c73bbeffc6
 SHA1 (patch-ae) = 3acbacee78ab2084a615b0c02b7f83e563bfc7ac
 SHA1 (patch-af) = 06e7b84566b0d3ed50b56f88baf23f15ae21eb21
+SHA1 (patch-ag) = e27a4769dc804bec71b449bed7ff318d15ae8bdf
diff -r 45b275546d0a -r dafe40d28057 mail/fetchmail/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/fetchmail/patches/patch-ag   Fri Jul 22 14:27:52 2005 +0000
@@ -0,0 +1,184 @@
+$NetBSD: patch-ag,v 1.3 2005/07/22 14:27:53 frueauf Exp $
+
+This patch originates from
+http://download.berlios.de/fetchmail/fetchmail-patch-6.2.5.2.gz
+
+and upgrades fetchmail 6.2.5 to 6.2.5.2, which among other stuff fixes
+CAN-2005-2355: buffer overflow in "fetchmail".
+
+*** Makefile.in        Wed Oct 15 22:38:18 2003
+--- Makefile.in        Fri Jul 22 01:55:44 2005
+***************
+*** 4,10 ****
+  # So just uncomment all the lines marked QNX.
+  
+  PACKAGE = fetchmail
+! VERSION = 6.2.5
+  
+  # Ultrix 2.2 make doesn't expand the value of VPATH.
+  srcdir = @srcdir@
+--- 4,10 ----
+  # So just uncomment all the lines marked QNX.
+  
+  PACKAGE = fetchmail
+! VERSION = 6.2.5.2
+  
+  # Ultrix 2.2 make doesn't expand the value of VPATH.
+  srcdir = @srcdir@
+*** NEWS       Wed Oct 15 22:40:17 2003
+--- NEWS       Fri Jul 22 01:52:16 2005
+***************
+*** 2,7 ****
+--- 2,20 ----
+  
+  (The `lines' figures total .c, .h, .l, and .y files under version control.)
+  
++ fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):
++ 
++ * NOTE: Due to a Makefile.in bug, you may need to use GNU make.
++ * SECURITY FIX: truncate UIDL replies, lest malicious or compromised
++   POP3 servers overflow fetchmail's stack. Debian bug #212762.
++   This is a remote root exploit. CVE Name: CAN-2005-2335.
++   Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
++   Thanks: Ludwig Nussel for a much simpler fix.
++ * Critical fix: omit blank between MAIL FROM: and <user%example.org@localhost>,
++   as this causes mail loss with some listeners.
++ * Fix: POP2 driver wouldn't properly check authentication failure.
++ * Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
++ 
+  fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
+  
+  * Updated Spanish, Turkish, and German translation files.
+*** driver.c   Wed Oct 15 19:22:31 2003
+--- driver.c   Fri Jul 22 01:49:49 2005
+***************
+*** 429,436 ****
+       /* for POP3, we can get the size of one mail only! Unfortunately, this
+        * protocol specific test cannot be done elsewhere as the protocol
+        * could be "auto". */
+!      if (ctl->server.protocol == P_POP3)
+           fetchsizelimit = 1;
+  
+       /* Time to allocate memory to store the sizes */
+       xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
+--- 429,439 ----
+       /* for POP3, we can get the size of one mail only! Unfortunately, this
+        * protocol specific test cannot be done elsewhere as the protocol
+        * could be "auto". */
+!      switch (ctl->server.protocol)
+!      {
+!          case P_POP3: case P_APOP: case P_RPOP:
+           fetchsizelimit = 1;
++      }
+  
+       /* Time to allocate memory to store the sizes */
+       xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
+*** pop2.c     Wed Oct 15 19:17:43 2003
+--- pop2.c     Fri Jul 22 01:47:28 2005
+***************
+*** 61,66 ****
+--- 61,67 ----
+                 "HELO %s %s",
+                 ctl->remotename, ctl->password);
+      shroud[0] = '\0';
++     return status;
+  }
+  
+  static int pop2_getrange(int sock, struct query *ctl, const char *folder, 
+*** pop3.c     Wed Oct 15 19:22:31 2003
+--- pop3.c     Fri Jul 22 01:44:00 2005
+***************
+*** 613,618 ****
+--- 613,620 ----
+      return 0;
+  }
+  
++ #define str(s) #s
++ #define UIDLFMT(n) "%d %" str(n) "s"
+  static int pop3_getuidl( int sock, int num , char *id)
+  {
+      int ok;
+***************
+*** 620,626 ****
+      gen_send(sock, "UIDL %d", num);
+      if ((ok = pop3_ok(sock, buf)) != 0)
+       return(ok);
+!     if (sscanf(buf, "%d %s", &num, id) != 2)
+       return(PS_PROTOCOL);
+      return(PS_SUCCESS);
+  }
+--- 622,628 ----
+      gen_send(sock, "UIDL %d", num);
+      if ((ok = pop3_ok(sock, buf)) != 0)
+       return(ok);
+!     if (sscanf(buf, UIDLFMT(IDLEN), &num, id) != 2)
+       return(PS_PROTOCOL);
+      return(PS_SUCCESS);
+  }
+***************
+*** 862,868 ****
+               {
+                   if (DOTLINE(buf))
+                       break;
+!                  else if (sscanf(buf, "%d %s", &num, id) == 2)
+                   {
+                       struct idlist   *old, *new;
+  
+--- 864,870 ----
+               {
+                   if (DOTLINE(buf))
+                       break;
+!                  else if (sscanf(buf, UIDLFMT(IDLEN), &num, id) == 2)
+                   {
+                       struct idlist   *old, *new;
+  
+*** sink.c     Fri Oct 10 22:06:36 2003
+--- sink.c     Fri Jul 22 01:42:23 2005
+***************
+*** 724,730 ****
+  
+      /* see the ap computation under the SMTP branch */
+      fprintf(sinkfp, 
+!          "MAIL FROM: %s", (msg->return_path[0]) ? msg->return_path : user);
+  
+      if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
+       fputs(" BODY=8BITMIME", sinkfp);
+--- 724,730 ----
+  
+      /* see the ap computation under the SMTP branch */
+      fprintf(sinkfp, 
+!          "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user);
+  
+      if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
+       fputs(" BODY=8BITMIME", sinkfp);
+*** smtp.c     Wed Aug  6 03:30:18 2003
+--- smtp.c     Fri Jul 22 01:42:23 2005
+***************
+*** 232,244 ****
+      int ok;
+      char buf[MSGBUFSIZE];
+  
+!     if (strchr(from, '<'))
+  #ifdef HAVE_SNPRINTF
+       snprintf(buf, sizeof(buf),
+  #else
+       sprintf(buf,
+  #endif /* HAVE_SNPRINTF */
+!              "MAIL FROM: %s", from);
+      else
+  #ifdef HAVE_SNPRINTF
+      snprintf(buf, sizeof(buf),
+--- 232,244 ----
+      int ok;
+      char buf[MSGBUFSIZE];
+  
+!     if (from[0]=='<')
+  #ifdef HAVE_SNPRINTF
+       snprintf(buf, sizeof(buf),
+  #else
+       sprintf(buf,
+  #endif /* HAVE_SNPRINTF */
+!              "MAIL FROM:%s", from);
+      else
+  #ifdef HAVE_SNPRINTF
+      snprintf(buf, sizeof(buf),



Home | Main Index | Thread Index | Old Index