Date: Thu, 30 Aug 2012 00:58:55 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: chalpin@cs.wisc.edu Subject: ports/171177: [PATCH] mail/fetchmail: security update to 6.3.22 Message-ID: <E1T6rDr-000DZ8-Lo@apollo.emma.line.org> Resent-Message-ID: <201208292300.q7TN0Hus044166@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 171177
>Category: ports
>Synopsis: [PATCH] mail/fetchmail: security update to 6.3.22
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 29 23:00:17 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 9.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD apollo.emma.line.org 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #4: Wed Aug 29 22:15:30 CEST 2012
>Description:
- Update to 6.3.22
Removed file(s):
- files/patch-CVE-2012-3482
Port maintainer (chalpin@cs.wisc.edu) is cc'd.
Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports)
>How-To-Repeat:
>Fix:
--- fetchmail-6.3.22.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/Makefile ./Makefile
--- /usr/ports/mail/fetchmail/Makefile 2012-08-27 19:44:23.000000000 +0200
+++ ./Makefile 2012-08-30 00:39:39.000000000 +0200
@@ -2,7 +2,7 @@
# Date created: 25 Feb 2000
# Whom: Ville Eerola <ve@sci.fi>
#
-# $FreeBSD: ports/mail/fetchmail/Makefile,v 1.222 2012/08/27 17:44:23 mandree Exp $
+# $FreeBSD: head/mail/fetchmail/Makefile 303238 2012-08-27 17:44:23Z mandree $
#
# NOTE: The fetchmailconf program (an interactive program for
# writing .fetchmailrc files) requires Python, Tk, X11, etc..
@@ -11,8 +11,7 @@
# want fetchmailconf to work, define the X11 option.
PORTNAME= fetchmail
-PORTVERSION= 6.3.21
-PORTREVISION= 1
+PORTVERSION= 6.3.22
CATEGORIES= mail ipv6
MASTER_SITES= BERLIOS/${PORTNAME}/ \
SF/${PORTNAME}/branch_6.3/ \
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/distinfo ./distinfo
--- /usr/ports/mail/fetchmail/distinfo 2012-02-25 00:56:18.000000000 +0100
+++ ./distinfo 2012-08-30 00:39:42.000000000 +0200
@@ -1,2 +1,2 @@
-SHA256 (fetchmail-6.3.21.tar.xz) = dc1b92666df7bc4d6be3e66654e9894bcaa76527ea99183deabd9e11486e0f82
-SIZE (fetchmail-6.3.21.tar.xz) = 1254704
+SHA256 (fetchmail-6.3.22.tar.xz) = 9ab51a851f79e16258f068e791c39e3e378a99927f70c9635132f4295d70b1a4
+SIZE (fetchmail-6.3.22.tar.xz) = 1260296
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmail.in ./files/fetchmail.in
--- /usr/ports/mail/fetchmail/files/fetchmail.in 2012-01-14 09:55:56.000000000 +0100
+++ ./files/fetchmail.in 2012-07-17 03:36:34.000000000 +0200
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $FreeBSD: ports/mail/fetchmail/files/fetchmail.in,v 1.11 2012/01/14 08:55:56 dougb Exp $
+# $FreeBSD$
#
# PROVIDE: fetchmail
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmailconf ./files/fetchmailconf
--- /usr/ports/mail/fetchmail/files/fetchmailconf 2005-12-06 22:07:19.000000000 +0100
+++ ./files/fetchmailconf 2012-07-17 03:36:34.000000000 +0200
@@ -3,7 +3,7 @@
# Wrapper for the real fetchmailconf. Checks whether Python and Tkinter are
# installed, and runs the real fetchmailconf or alerts the user, as appropriate.
#
-# $FreeBSD: ports/mail/fetchmail/files/fetchmailconf,v 1.7 2005/12/06 21:07:19 barner Exp $
+# $FreeBSD$
LOCALBASE=@LOCALBASE@
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-CVE-2012-3482 ./files/patch-CVE-2012-3482
--- /usr/ports/mail/fetchmail/files/patch-CVE-2012-3482 2012-08-27 19:44:23.000000000 +0200
+++ ./files/patch-CVE-2012-3482 1970-01-01 01:00:00.000000000 +0100
@@ -1,53 +0,0 @@
-diff --git a/ntlm.h b/ntlm.h
-index 1469633..ad83520 100644
---- a/ntlm.h
-+++ b/ntlm.h
-@@ -32,8 +32,8 @@ uint32 msgType;
- tSmbStrHeader uDomain;
- uint32 flags;
- uint8 challengeData[8];
--uint8 reserved[8];
--tSmbStrHeader emptyString;
-+uint32 context[2];
-+tSmbStrHeader targetInfo;
- uint8 buffer[1024];
- uint32 bufIndex;
- }tSmbNtlmAuthChallenge;
-diff --git a/ntlmsubr.c b/ntlmsubr.c
-index f9d2733..63cbed8 100644
---- a/ntlmsubr.c
-+++ b/ntlmsubr.c
-@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
- if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
- goto cancelfail;
-
-- (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
-+ if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
-+ || result < ((void *)&challenge.context - (void *)&challenge))
-+ {
-+ report (stderr, GT_("could not decode BASE64 challenge\n"));
-+ /* We do not goto cancelfail; the server has already sent the
-+ * tagged reply, so the protocol exchange has ended, no need
-+ * for us to send the asterisk. */
-+ return PS_AUTHFAIL;
-+ }
-+
-+ /* validate challenge:
-+ * - ident
-+ * - message type
-+ * - that offset points into buffer
-+ * - that offset + length does not wrap
-+ * - that offset + length is not bigger than buffer */
-+ if (0 != memcmp("NTLMSSP", challenge.ident, 8)
-+ || challenge.msgType != 2
-+ || challenge.uDomain.offset > result
-+ || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
-+ || challenge.uDomain.offset + challenge.uDomain.len > result)
-+ {
-+ report (stderr, GT_("NTLM challenge contains invalid data.\n"));
-+ result = PS_AUTHFAIL;
-+ goto cancelfail;
-+ }
-
- if (outlevel >= O_DEBUG)
- dumpSmbNtlmAuthChallenge(stdout, &challenge);
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/pkg-plist ./pkg-plist
--- /usr/ports/mail/fetchmail/pkg-plist 2011-07-09 12:07:49.000000000 +0200
+++ ./pkg-plist 2012-08-30 00:41:12.000000000 +0200
@@ -1,4 +1,4 @@
-@comment $FreeBSD: ports/mail/fetchmail/pkg-plist,v 1.30 2011/07/09 10:07:49 crees Exp $
+@comment $FreeBSD$
bin/fetchmail
bin/fetchmailconf
libexec/fetchmailconf.py
@@ -33,6 +33,7 @@
%%NLS%%share/locale/ru/LC_MESSAGES/fetchmail.mo
%%NLS%%share/locale/sk/LC_MESSAGES/fetchmail.mo
%%NLS%%share/locale/sq/LC_MESSAGES/fetchmail.mo
+%%NLS%%share/locale/sv/LC_MESSAGES/fetchmail.mo
%%NLS%%share/locale/tr/LC_MESSAGES/fetchmail.mo
%%NLS%%share/locale/vi/LC_MESSAGES/fetchmail.mo
%%NLS%%share/locale/zh_CN/LC_MESSAGES/fetchmail.mo
--- fetchmail-6.3.22.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1T6rDr-000DZ8-Lo>