Date: Wed, 20 Jul 2005 20:50:57 +0200 From: Matthias Andree <matthias.andree@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: barner@FreeBSD.org Subject: ports/83805: [PATCH] mail/fetchmail: update to 6.2.5.1, set maintainer Message-ID: <E1DvJej-0007Nl-Ua@libertas.emma.line.org> Resent-Message-ID: <200507201900.j6KJ0awZ049596@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83805 >Category: ports >Synopsis: [PATCH] mail/fetchmail: update to 6.2.5.1, set maintainer >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Jul 20 19:00:35 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 4.11-RELEASE-p11 i386 >Organization: >Environment: System: FreeBSD libertas.emma.line.org 4.11-RELEASE-p11 FreeBSD 4.11-RELEASE-p11 #1: Sat Jul 2 12:53:26 CEST >Description: - Security update to 6.2.5.1 Added file(s): - files/patch-r1 - files/patch-s1 <- this contains the security fix. Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- fetchmail-6.2.5.1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/Makefile /usr/home/emma/ports/mail/fetchmail/Makefile --- /usr/ports/mail/fetchmail/Makefile Wed Jul 20 19:25:58 2005 +++ /usr/home/emma/ports/mail/fetchmail/Makefile Wed Jul 20 20:41:31 2005 @@ -10,16 +10,17 @@ # want fetchmailconf to work, define WITH_X11 PORTNAME= fetchmail -PORTVERSION= 6.2.5 -PORTREVISION= 2 +PORTVERSION= 6.2.5.1 CATEGORIES= mail ipv6 MASTER_SITES= http://www.catb.org/~esr/%SUBDIR%/ \ + http://download.berlios.de/%SUBDIR%/ \ ftp://ftp.ayamura.org/pub/%SUBDIR%/ \ ftp://ftp.win.jp/pub/%SUBDIR%/ \ ftp://ftp.dti.ad.jp/pub/net/mail/%SUBDIR%/ MASTER_SITE_SUBDIR= fetchmail +DISTNAME= fetchmail-6.2.5 MAINTAINER= ports@FreeBSD.org COMMENT= Batch mail retrieval utility for IMAP/POP2/POP3/APOP/KPOP/ETRN/ODMR .if defined(WITH_X11) diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmailconf /usr/home/emma/ports/mail/fetchmail/files/fetchmailconf --- /usr/ports/mail/fetchmail/files/fetchmailconf Wed May 30 07:14:45 2001 +++ /usr/home/emma/ports/mail/fetchmail/files/fetchmailconf Wed Jul 20 20:19:52 2005 @@ -11,7 +11,7 @@ exec $PREFIX/libexec/fetchmailconf.bin else cat <<EOF -The fetchmailconf program requires Python with Tkinter , which does not +The fetchmailconf program requires Python with Tkinter, which does not appear to be installed on this system. Python/Tkinter can be found in the FreeBSD Ports Collection under x11-toolkits/py-tkinter. EOF diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-r1 /usr/home/emma/ports/mail/fetchmail/files/patch-r1 --- /usr/ports/mail/fetchmail/files/patch-r1 Thu Jan 1 01:00:00 1970 +++ /usr/home/emma/ports/mail/fetchmail/files/patch-r1 Wed Jul 20 20:27:20 2005 @@ -0,0 +1,29 @@ +--- ./sink.c~ 2003-10-11 00:06:36.000000000 +0200 ++++ ./sink.c 2005-07-20 18:26:32.000000000 +0200 +@@ -724,7 +724,7 @@ + + /* see the ap computation under the SMTP branch */ + fprintf(sinkfp, +- "MAIL FROM: %s", (msg->return_path[0]) ? msg->return_path : user); ++ "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user); + + if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT)) + fputs(" BODY=8BITMIME", sinkfp); +--- ./smtp.c~ 2003-08-06 05:30:18.000000000 +0200 ++++ ./smtp.c 2005-07-20 18:26:32.000000000 +0200 +@@ -232,13 +232,13 @@ + int ok; + char buf[MSGBUFSIZE]; + +- if (strchr(from, '<')) ++ if (from[0]=='<') + #ifdef HAVE_SNPRINTF + snprintf(buf, sizeof(buf), + #else + sprintf(buf, + #endif /* HAVE_SNPRINTF */ +- "MAIL FROM: %s", from); ++ "MAIL FROM:%s", from); + else + #ifdef HAVE_SNPRINTF + snprintf(buf, sizeof(buf), diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-s1 /usr/home/emma/ports/mail/fetchmail/files/patch-s1 --- /usr/ports/mail/fetchmail/files/patch-s1 Thu Jan 1 01:00:00 1970 +++ /usr/home/emma/ports/mail/fetchmail/files/patch-s1 Wed Jul 20 20:33:36 2005 @@ -0,0 +1,237 @@ +SECURITY FIX: truncate UIDL replies, lest malicious or compromised +POP3 servers overflow fetchmail's stack. Debian bug #212762. +This is a remote root exploit. + +--- ./pop3.c~ 2003-10-15 21:22:31.000000000 +0200 ++++ ./pop3.c 2005-07-20 18:33:26.000000000 +0200 +@@ -16,7 +16,8 @@ + #if defined(STDC_HEADERS) + #include <stdlib.h> + #endif +- ++#include <errno.h> ++ + #include "fetchmail.h" + #include "socket.h" + #include "i18n.h" +@@ -590,7 +591,8 @@ + return(PS_SUCCESS); + } + +-static int pop3_gettopid( int sock, int num , char *id) ++#define POSIX_space "\t\n\v\f\r " ++static int pop3_gettopid(int sock, int num , char *id, size_t idsize) + { + int ok; + int got_it; +@@ -603,25 +605,51 @@ + { + if (DOTLINE(buf)) + break; +- if ( ! got_it && ! strncasecmp("Message-Id:", buf, 11 )) { +- got_it = 1; +- /* prevent stack overflows */ +- buf[IDLEN+12] = 0; +- sscanf( buf+12, "%s", id); ++ if (!got_it && 0 == strncasecmp("Message-Id:", buf, 11)) { ++ char *p = buf + 11; ++ p += strspn(p, POSIX_space); ++ p = strtok(p, POSIX_space); ++ strlcpy(id, p, idsize); + } + } + return 0; + } + +-static int pop3_getuidl( int sock, int num , char *id) ++/** Parse destructively the UID response (leading +OK must have been ++ * stripped off) in buf, store the number in gotnum, and store the ID ++ * into the caller-provided buffer "id" of size "idsize". ++ * Returns PS_SUCCESS or PS_PROTOCOL for failure. */ ++static int parseuid(char *buf, unsigned long *gotnum, char *id, size_t idsize) ++{ ++ char *i, *j; ++ ++ i = strtok(buf, POSIX_space); ++ errno = 0; ++ *gotnum = strtoul(i, &j, 10); ++ if (*j != '\0' || j == i || errno) { ++ report(stderr, GT_("Cannot handle UIDL response from upstream server.\n")); ++ return PS_PROTOCOL; ++ } ++ i = strtok(NULL, POSIX_space); ++ strlcpy(id, i, idsize); ++ return PS_SUCCESS; ++} ++ ++static int pop3_getuidl(int sock, int num , char *id, size_t idsize) + { + int ok; + char buf [POPBUFSIZE+1]; ++ unsigned long gotnum; ++ + gen_send(sock, "UIDL %d", num); + if ((ok = pop3_ok(sock, buf)) != 0) + return(ok); +- if (sscanf(buf, "%d %s", &num, id) != 2) +- return(PS_PROTOCOL); ++ if ((ok = parseuid(buf, &gotnum, id, idsize))) ++ return ok; ++ if (gotnum != num) { ++ report(stderr, GT_("Server responded with UID for wrong message.\n")); ++ return PS_PROTOCOL; ++ } + return(PS_SUCCESS); + } + +@@ -638,7 +666,7 @@ + struct idlist *new; + + try_nr = (first_nr + last_nr) / 2; +- if( (ok = pop3_getuidl( sock, try_nr, id )) != 0 ) ++ if ((ok = pop3_getuidl(sock, try_nr, id, sizeof(id))) != 0) + return ok; + if ((new = str_in_list(&ctl->oldsaved, id, FALSE))) + { +@@ -700,10 +728,10 @@ + int first_nr, list_len, try_id, try_nr, add_id; + int num; + char id [IDLEN+1]; +- +- if( (ok = pop3_gettopid( sock, 1, id )) != 0 ) ++ ++ if ((ok = pop3_gettopid(sock, 1, id, sizeof(id))) != 0) + return ok; +- ++ + if( ( first_nr = str_nr_in_list(&ctl->oldsaved, id) ) == -1 ) { + /* the first message is unknown -> all messages are new */ + *newp = *countp; +@@ -715,7 +743,7 @@ + try_id = list_len - first_nr; /* -1 + 1 */ + if( try_id > 1 ) { + if( try_id <= *countp ) { +- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 ) ++ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0) + return ok; + + try_nr = str_nr_last_in_list(&ctl->oldsaved, id); +@@ -739,7 +767,7 @@ + } else + try_id += add_id; + +- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 ) ++ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0) + return ok; + try_nr = str_nr_in_list(&ctl->oldsaved, id); + } +@@ -801,7 +829,7 @@ + + /* + * Newer, RFC-1725-conformant POP servers may not have the LAST command. +- * We work as hard as possible to hide this ugliness, but it makes ++ * We work as hard as possible to hide this ugliness, but it makes + * counting new messages intrinsically quadratic in the worst case. + */ + last = 0; +@@ -839,15 +867,15 @@ + } + *newp = (*countp - last); + } +- else +- { ++ else ++ { + if (dofastuidl) + return(pop3_fastuidl( sock, ctl, *countp, newp)); + /* grab the mailbox's UID list */ + if ((ok = gen_transact(sock, "UIDL")) != 0) + { + /* don't worry, yet! do it the slow way */ +- if((ok = pop3_slowuidl( sock, ctl, countp, newp))!=0) ++ if ((ok = pop3_slowuidl(sock, ctl, countp, newp))) + { + report(stderr, GT_("protocol error while fetching UIDLs\n")); + return(PS_ERROR); +@@ -855,27 +883,32 @@ + } + else + { +- int num; ++ unsigned long unum; + + *newp = 0; +- while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) ++ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) + { +- if (DOTLINE(buf)) +- break; +- else if (sscanf(buf, "%d %s", &num, id) == 2) ++ if (DOTLINE(buf)) ++ break; ++ ++ if (parseuid(buf, &unum, id, sizeof(id)) == PS_SUCCESS) + { +- struct idlist *old, *new; ++ struct idlist *old, *new; + + new = save_str(&ctl->newsaved, id, UID_UNSEEN); +- new->val.status.num = num; ++ new->val.status.num = unum; + + if ((old = str_in_list(&ctl->oldsaved, id, FALSE))) + { + flag mark = old->val.status.mark; + if (mark == UID_DELETED || mark == UID_EXPUNGED) + { ++ /* XXX FIXME: switch 3 occurrences from ++ * (int)unum or (unsigned int)unum to ++ * remove the cast and use %lu - not now ++ * though, time for new release */ + if (outlevel >= O_VERBOSE) +- report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, num); ++ report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, (int)unum); + /* just mark it as seen now! */ + old->val.status.mark = mark = UID_SEEN; + } +@@ -884,25 +917,25 @@ + { + (*newp)++; + if (outlevel >= O_DEBUG) +- report(stdout, GT_("%u is unseen\n"), num); ++ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum); + } + } + else + { + (*newp)++; + if (outlevel >= O_DEBUG) +- report(stdout, GT_("%u is unseen\n"), num); ++ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum); + /* add it to oldsaved also! In case, we do not + * swap the lists (say, due to socket error), + * the same mail will not be downloaded again. + */ + old = save_str(&ctl->oldsaved, id, UID_UNSEEN); +- old->val.status.num = num; ++ old->val.status.num = unum; + } + } +- } +- } +- } ++ } ++ } ++ } + } + + return(PS_SUCCESS); +@@ -986,7 +1019,7 @@ + } + + /* get the uidl first! */ +- if (pop3_getuidl(sock, num, id) != PS_SUCCESS) ++ if (pop3_getuidl(sock, num, id, sizeof(id)) != PS_SUCCESS) + return(TRUE); + + if ((new = str_in_list(&ctl->oldsaved, id, FALSE))) { --- fetchmail-6.2.5.1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1DvJej-0007Nl-Ua>