From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Jul 20 19:00:37 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3854B16A41F for ; Wed, 20 Jul 2005 19:00:37 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87B5443D46 for ; Wed, 20 Jul 2005 19:00:36 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6KJ0aaR049597 for ; Wed, 20 Jul 2005 19:00:36 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6KJ0awZ049596; Wed, 20 Jul 2005 19:00:36 GMT (envelope-from gnats) Resent-Date: Wed, 20 Jul 2005 19:00:36 GMT Resent-Message-Id: <200507201900.j6KJ0awZ049596@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthias Andree Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C1E516A41F; Wed, 20 Jul 2005 18:51:05 +0000 (GMT) (envelope-from matthias.andree@gmx.de) Received: from mail.dt.e-technik.uni-dortmund.de (krusty.dt.e-technik.Uni-Dortmund.DE [129.217.163.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1455D43D46; Wed, 20 Jul 2005 18:51:03 +0000 (GMT) (envelope-from matthias.andree@gmx.de) Received: from localhost (localhost [127.0.0.1]) by mail.dt.e-technik.uni-dortmund.de (Postfix) with ESMTP id A66E444019; Wed, 20 Jul 2005 20:51:02 +0200 (CEST) Received: from mail.dt.e-technik.uni-dortmund.de ([127.0.0.1]) by localhost (krusty [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23814-04; Wed, 20 Jul 2005 20:51:00 +0200 (CEST) Received: from m2a2.dyndns.org (p50916B74.dip.t-dialin.net [80.145.107.116]) by mail.dt.e-technik.uni-dortmund.de (Postfix) with ESMTP id 2BF534400B; Wed, 20 Jul 2005 20:51:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by merlin.emma.line.org (Postfix) with ESMTP id 5747678C70; Wed, 20 Jul 2005 20:50:59 +0200 (CEST) Received: from m2a2.dyndns.org ([127.0.0.1]) by localhost (m2a2.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05171-09; Wed, 20 Jul 2005 20:50:58 +0200 (CEST) Received: from libertas.emma.line.org (libertas.emma.line.org [192.168.0.2]) by merlin.emma.line.org (Postfix) with ESMTP id 81DED77532; Wed, 20 Jul 2005 20:50:58 +0200 (CEST) Received: from emma by libertas.emma.line.org with local (Exim 4.51 (FreeBSD)) id 1DvJej-0007Nl-Ua; Wed, 20 Jul 2005 20:50:58 +0200 Message-Id: Date: Wed, 20 Jul 2005 20:50:57 +0200 From: Matthias Andree Sender: Matthias Andree To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: barner@FreeBSD.org Subject: ports/83805: [PATCH] mail/fetchmail: update to 6.2.5.1, set maintainer X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 19:00:37 -0000 >Number: 83805 >Category: ports >Synopsis: [PATCH] mail/fetchmail: update to 6.2.5.1, set maintainer >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Jul 20 19:00:35 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 4.11-RELEASE-p11 i386 >Organization: >Environment: System: FreeBSD libertas.emma.line.org 4.11-RELEASE-p11 FreeBSD 4.11-RELEASE-p11 #1: Sat Jul 2 12:53:26 CEST >Description: - Security update to 6.2.5.1 Added file(s): - files/patch-r1 - files/patch-s1 <- this contains the security fix. Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- fetchmail-6.2.5.1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/Makefile /usr/home/emma/ports/mail/fetchmail/Makefile --- /usr/ports/mail/fetchmail/Makefile Wed Jul 20 19:25:58 2005 +++ /usr/home/emma/ports/mail/fetchmail/Makefile Wed Jul 20 20:41:31 2005 @@ -10,16 +10,17 @@ # want fetchmailconf to work, define WITH_X11 PORTNAME= fetchmail -PORTVERSION= 6.2.5 -PORTREVISION= 2 +PORTVERSION= 6.2.5.1 CATEGORIES= mail ipv6 MASTER_SITES= http://www.catb.org/~esr/%SUBDIR%/ \ + http://download.berlios.de/%SUBDIR%/ \ ftp://ftp.ayamura.org/pub/%SUBDIR%/ \ ftp://ftp.win.jp/pub/%SUBDIR%/ \ ftp://ftp.dti.ad.jp/pub/net/mail/%SUBDIR%/ MASTER_SITE_SUBDIR= fetchmail +DISTNAME= fetchmail-6.2.5 MAINTAINER= ports@FreeBSD.org COMMENT= Batch mail retrieval utility for IMAP/POP2/POP3/APOP/KPOP/ETRN/ODMR .if defined(WITH_X11) diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmailconf /usr/home/emma/ports/mail/fetchmail/files/fetchmailconf --- /usr/ports/mail/fetchmail/files/fetchmailconf Wed May 30 07:14:45 2001 +++ /usr/home/emma/ports/mail/fetchmail/files/fetchmailconf Wed Jul 20 20:19:52 2005 @@ -11,7 +11,7 @@ exec $PREFIX/libexec/fetchmailconf.bin else cat <return_path[0]) ? msg->return_path : user); ++ "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user); + + if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT)) + fputs(" BODY=8BITMIME", sinkfp); +--- ./smtp.c~ 2003-08-06 05:30:18.000000000 +0200 ++++ ./smtp.c 2005-07-20 18:26:32.000000000 +0200 +@@ -232,13 +232,13 @@ + int ok; + char buf[MSGBUFSIZE]; + +- if (strchr(from, '<')) ++ if (from[0]=='<') + #ifdef HAVE_SNPRINTF + snprintf(buf, sizeof(buf), + #else + sprintf(buf, + #endif /* HAVE_SNPRINTF */ +- "MAIL FROM: %s", from); ++ "MAIL FROM:%s", from); + else + #ifdef HAVE_SNPRINTF + snprintf(buf, sizeof(buf), diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-s1 /usr/home/emma/ports/mail/fetchmail/files/patch-s1 --- /usr/ports/mail/fetchmail/files/patch-s1 Thu Jan 1 01:00:00 1970 +++ /usr/home/emma/ports/mail/fetchmail/files/patch-s1 Wed Jul 20 20:33:36 2005 @@ -0,0 +1,237 @@ +SECURITY FIX: truncate UIDL replies, lest malicious or compromised +POP3 servers overflow fetchmail's stack. Debian bug #212762. +This is a remote root exploit. + +--- ./pop3.c~ 2003-10-15 21:22:31.000000000 +0200 ++++ ./pop3.c 2005-07-20 18:33:26.000000000 +0200 +@@ -16,7 +16,8 @@ + #if defined(STDC_HEADERS) + #include + #endif +- ++#include ++ + #include "fetchmail.h" + #include "socket.h" + #include "i18n.h" +@@ -590,7 +591,8 @@ + return(PS_SUCCESS); + } + +-static int pop3_gettopid( int sock, int num , char *id) ++#define POSIX_space "\t\n\v\f\r " ++static int pop3_gettopid(int sock, int num , char *id, size_t idsize) + { + int ok; + int got_it; +@@ -603,25 +605,51 @@ + { + if (DOTLINE(buf)) + break; +- if ( ! got_it && ! strncasecmp("Message-Id:", buf, 11 )) { +- got_it = 1; +- /* prevent stack overflows */ +- buf[IDLEN+12] = 0; +- sscanf( buf+12, "%s", id); ++ if (!got_it && 0 == strncasecmp("Message-Id:", buf, 11)) { ++ char *p = buf + 11; ++ p += strspn(p, POSIX_space); ++ p = strtok(p, POSIX_space); ++ strlcpy(id, p, idsize); + } + } + return 0; + } + +-static int pop3_getuidl( int sock, int num , char *id) ++/** Parse destructively the UID response (leading +OK must have been ++ * stripped off) in buf, store the number in gotnum, and store the ID ++ * into the caller-provided buffer "id" of size "idsize". ++ * Returns PS_SUCCESS or PS_PROTOCOL for failure. */ ++static int parseuid(char *buf, unsigned long *gotnum, char *id, size_t idsize) ++{ ++ char *i, *j; ++ ++ i = strtok(buf, POSIX_space); ++ errno = 0; ++ *gotnum = strtoul(i, &j, 10); ++ if (*j != '\0' || j == i || errno) { ++ report(stderr, GT_("Cannot handle UIDL response from upstream server.\n")); ++ return PS_PROTOCOL; ++ } ++ i = strtok(NULL, POSIX_space); ++ strlcpy(id, i, idsize); ++ return PS_SUCCESS; ++} ++ ++static int pop3_getuidl(int sock, int num , char *id, size_t idsize) + { + int ok; + char buf [POPBUFSIZE+1]; ++ unsigned long gotnum; ++ + gen_send(sock, "UIDL %d", num); + if ((ok = pop3_ok(sock, buf)) != 0) + return(ok); +- if (sscanf(buf, "%d %s", &num, id) != 2) +- return(PS_PROTOCOL); ++ if ((ok = parseuid(buf, &gotnum, id, idsize))) ++ return ok; ++ if (gotnum != num) { ++ report(stderr, GT_("Server responded with UID for wrong message.\n")); ++ return PS_PROTOCOL; ++ } + return(PS_SUCCESS); + } + +@@ -638,7 +666,7 @@ + struct idlist *new; + + try_nr = (first_nr + last_nr) / 2; +- if( (ok = pop3_getuidl( sock, try_nr, id )) != 0 ) ++ if ((ok = pop3_getuidl(sock, try_nr, id, sizeof(id))) != 0) + return ok; + if ((new = str_in_list(&ctl->oldsaved, id, FALSE))) + { +@@ -700,10 +728,10 @@ + int first_nr, list_len, try_id, try_nr, add_id; + int num; + char id [IDLEN+1]; +- +- if( (ok = pop3_gettopid( sock, 1, id )) != 0 ) ++ ++ if ((ok = pop3_gettopid(sock, 1, id, sizeof(id))) != 0) + return ok; +- ++ + if( ( first_nr = str_nr_in_list(&ctl->oldsaved, id) ) == -1 ) { + /* the first message is unknown -> all messages are new */ + *newp = *countp; +@@ -715,7 +743,7 @@ + try_id = list_len - first_nr; /* -1 + 1 */ + if( try_id > 1 ) { + if( try_id <= *countp ) { +- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 ) ++ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0) + return ok; + + try_nr = str_nr_last_in_list(&ctl->oldsaved, id); +@@ -739,7 +767,7 @@ + } else + try_id += add_id; + +- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 ) ++ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0) + return ok; + try_nr = str_nr_in_list(&ctl->oldsaved, id); + } +@@ -801,7 +829,7 @@ + + /* + * Newer, RFC-1725-conformant POP servers may not have the LAST command. +- * We work as hard as possible to hide this ugliness, but it makes ++ * We work as hard as possible to hide this ugliness, but it makes + * counting new messages intrinsically quadratic in the worst case. + */ + last = 0; +@@ -839,15 +867,15 @@ + } + *newp = (*countp - last); + } +- else +- { ++ else ++ { + if (dofastuidl) + return(pop3_fastuidl( sock, ctl, *countp, newp)); + /* grab the mailbox's UID list */ + if ((ok = gen_transact(sock, "UIDL")) != 0) + { + /* don't worry, yet! do it the slow way */ +- if((ok = pop3_slowuidl( sock, ctl, countp, newp))!=0) ++ if ((ok = pop3_slowuidl(sock, ctl, countp, newp))) + { + report(stderr, GT_("protocol error while fetching UIDLs\n")); + return(PS_ERROR); +@@ -855,27 +883,32 @@ + } + else + { +- int num; ++ unsigned long unum; + + *newp = 0; +- while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) ++ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) + { +- if (DOTLINE(buf)) +- break; +- else if (sscanf(buf, "%d %s", &num, id) == 2) ++ if (DOTLINE(buf)) ++ break; ++ ++ if (parseuid(buf, &unum, id, sizeof(id)) == PS_SUCCESS) + { +- struct idlist *old, *new; ++ struct idlist *old, *new; + + new = save_str(&ctl->newsaved, id, UID_UNSEEN); +- new->val.status.num = num; ++ new->val.status.num = unum; + + if ((old = str_in_list(&ctl->oldsaved, id, FALSE))) + { + flag mark = old->val.status.mark; + if (mark == UID_DELETED || mark == UID_EXPUNGED) + { ++ /* XXX FIXME: switch 3 occurrences from ++ * (int)unum or (unsigned int)unum to ++ * remove the cast and use %lu - not now ++ * though, time for new release */ + if (outlevel >= O_VERBOSE) +- report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, num); ++ report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, (int)unum); + /* just mark it as seen now! */ + old->val.status.mark = mark = UID_SEEN; + } +@@ -884,25 +917,25 @@ + { + (*newp)++; + if (outlevel >= O_DEBUG) +- report(stdout, GT_("%u is unseen\n"), num); ++ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum); + } + } + else + { + (*newp)++; + if (outlevel >= O_DEBUG) +- report(stdout, GT_("%u is unseen\n"), num); ++ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum); + /* add it to oldsaved also! In case, we do not + * swap the lists (say, due to socket error), + * the same mail will not be downloaded again. + */ + old = save_str(&ctl->oldsaved, id, UID_UNSEEN); +- old->val.status.num = num; ++ old->val.status.num = unum; + } + } +- } +- } +- } ++ } ++ } ++ } + } + + return(PS_SUCCESS); +@@ -986,7 +1019,7 @@ + } + + /* get the uidl first! */ +- if (pop3_getuidl(sock, num, id) != PS_SUCCESS) ++ if (pop3_getuidl(sock, num, id, sizeof(id)) != PS_SUCCESS) + return(TRUE); + + if ((new = str_in_list(&ctl->oldsaved, id, FALSE))) { --- fetchmail-6.2.5.1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: