CVS commit: pkgsrc/mail/fetchmail

[Frédéric Fauberteau <triaxx%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   triaxx
Date:           Sat Aug 28 05:21:19 UTC 2021

Modified Files:
        pkgsrc/mail/fetchmail: Makefile distinfo

Log Message:
fetchmail: Update to 6.4.21

upstream changes:
-----------------
fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):

# REGRESSION FIX:
* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
  messages logged to buffered outputs, predominantly --logfile.

  This also caused lines in the logfile to run into one another because
  the fragment containing the '\n' line-end character was usually lost.

  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
  interface), the length of log message fragments was added up twice, so
  that these ended too deep into a freshly allocated buffer, after the '\0'
  byte.  Unbuffered outputs flushed the fragments right away, which masked the
  bug.

  Reported by: Jürgen Edner, Erik Christiansen.

--------------------------------------------------------------------------------
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):

# SECURITY FIX:
* When a log message exceeds c. 2 kByte in size, for instance, with very long
  header contents, and depending on verbosity option, fetchmail can crash or
  misreport each first log message that requires a buffer reallocation.
  fetchmail then reallocates memory and re-runs vsnprintf() without another
  call to va_start(), so it reads garbage. The exact impact depends on
  many factors around the compiler and operating system configurations used and
  the implementation details of the stdarg.h interfaces of the two functions
  mentioned before. To fix CVE-2021-36386.

  Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany.

  He also offered a patch, which I could not take for fetchmail 6.4 because
  it required a C99 system and I'd promised earlier that 6.4 would remain
  compatible with C89 systems.


To generate a diff of this commit:
cvs rdiff -u -r1.197 -r1.198 pkgsrc/mail/fetchmail/Makefile
cvs rdiff -u -r1.58 -r1.59 pkgsrc/mail/fetchmail/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mail/fetchmail/Makefile
diff -u pkgsrc/mail/fetchmail/Makefile:1.197 pkgsrc/mail/fetchmail/Makefile:1.198
--- pkgsrc/mail/fetchmail/Makefile:1.197        Tue May 25 11:59:47 2021
+++ pkgsrc/mail/fetchmail/Makefile      Sat Aug 28 05:21:19 2021
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.197 2021/05/25 11:59:47 triaxx Exp $
+# $NetBSD: Makefile,v 1.198 2021/08/28 05:21:19 triaxx Exp $
 
 # Note to updaters: mail/fetchmailconf reaches over here, make sure it builds.
-DISTNAME=      fetchmail-6.4.19
+DISTNAME=      fetchmail-6.4.21
 CATEGORIES=    mail
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=fetchmail/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/mail/fetchmail/distinfo
diff -u pkgsrc/mail/fetchmail/distinfo:1.58 pkgsrc/mail/fetchmail/distinfo:1.59
--- pkgsrc/mail/fetchmail/distinfo:1.58 Tue May 25 11:59:47 2021
+++ pkgsrc/mail/fetchmail/distinfo      Sat Aug 28 05:21:19 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.58 2021/05/25 11:59:47 triaxx Exp $
+$NetBSD: distinfo,v 1.59 2021/08/28 05:21:19 triaxx Exp $
 
-SHA1 (fetchmail-6.4.19.tar.xz) = bb6959f0cf1f6d689c2ba3834c5bba72e4f9ec07
-RMD160 (fetchmail-6.4.19.tar.xz) = 97bdf84e6dce38d9fd7154e8cafba6a0b7fcd979
-SHA512 (fetchmail-6.4.19.tar.xz) = b10f0ac5b3b22f8b1d86367990fc96ea5c49dc21c873890c732c254c34503bd6ab9348c5ef88b99ba0f83f065fa9f9aead55de9721b0f296efa14eac0311daaf
-Size (fetchmail-6.4.19.tar.xz) = 1316672 bytes
+SHA1 (fetchmail-6.4.21.tar.xz) = a264c50256c2b42d2c7893f9efae7c9a29350786
+RMD160 (fetchmail-6.4.21.tar.xz) = c8c7e9ca1840e2f78a52b55a3db0eb10f35196a0
+SHA512 (fetchmail-6.4.21.tar.xz) = c9300f63c0e4073f199a9a7d9061774a7f88aad496b696cad96c0ee85107cae506461f0cd083903c60104b1e7654461213f3f759c1cdaffaf1c85fb1956faa67
+Size (fetchmail-6.4.21.tar.xz) = 1318996 bytes
 SHA1 (patch-Makefile.in) = 9cd2053a7c8bbbf6f71fcee03e33c0d29d235c4e
 SHA1 (patch-configure) = f5db59db380755d8b9fc8f75e723fd729ca06c30
 SHA1 (patch-configure.ac) = 9ff885f7d40a749f628d35a8408b1860f8017362