Update fetchmail to 6.2.5.5.

Change homepage to http://fetchmail.berlios.de/ and update MASTER_SITES.

Changes introduced since 6.2.5:

fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.

The fetchmail 6.2.5.X branch will be discontinued early in 2006.

fetchmail-6.2.5.5  2005-12-19  Matthias Andree

* SECURITY FIX CVE-2005-4348: fix null pointer dereference in
  multidrop mode when the message is empty. Reported by Daniel Drake
  <http://article.gmane.org/gmane.mail.fetchmail.user/7573> and others
  (Debian Bug #343836). Fix by Sunil Shetye.
* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
  fails. Fix suggested by Goswin Brederlow.
* Add fetchmail-SA-2005-{01,02,03}.txt

fetchmail-6.2.5.4  2005-11-13  Matthias Andree

* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
  yacc or bison.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
  hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
  the source directory), but prevent packaging from separated build, it
  yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.

fetchmail-6.2.5.3  2005-11-12  Matthias Andree

* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
  umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
  servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Build environment: Update included gettext. Fix
  --with-included-gettext. Fix parallel build (make -j). Fix "always
  rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).

fetchmail-6.2.5.2
(patch Fri Jul 22 01:52 GMT 2005,
 tarball Sat Jul 23 21:34 GMT 2005)

* README: Added a note about release status - READ IT!
* Note: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX CVE-2005-2335: truncate UIDL replies, lest malicious or
  compromised POP3 servers overflow fetchmail's stack. Debian bug
  #212762.  This is a remote root exploit.
  Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
  Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
  as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
This commit is contained in:
frueauf 2005-12-20 14:27:53 +00:00
parent 552c2ca893
commit 41348c590d
7 changed files with 6097 additions and 7494 deletions

View file

@ -1,13 +1,11 @@
# $NetBSD: Makefile,v 1.154 2005/10/21 20:56:50 tonio Exp $
# $NetBSD: Makefile,v 1.155 2005/12/20 14:27:53 frueauf Exp $
DISTNAME= fetchmail-6.2.5
PKGREVISION= 6
DISTNAME= fetchmail-6.2.5.5
CATEGORIES= mail
MASTER_SITES= http://www.catb.org/~esr/fetchmail/ \
http://sunsite.unc.edu/pub/Linux/system/mail/pop/
MASTER_SITES= http://download.berlios.de/fetchmail/
MAINTAINER= frueauf@NetBSD.org
HOMEPAGE= http://catb.org/~esr/fetchmail/
HOMEPAGE= http://fetchmail.berlios.de/
COMMENT= Batch mail retrieval/forwarding utility for pop2, pop3, apop, imap
PKG_INSTALLATION_TYPES= overwrite pkgviews

View file

@ -1,16 +1,14 @@
$NetBSD: distinfo,v 1.33 2005/11/01 19:16:52 adrianp Exp $
$NetBSD: distinfo,v 1.34 2005/12/20 14:27:53 frueauf Exp $
SHA1 (fetchmail-6.2.5.tar.gz) = 4656ec4393ccd1c137fe7b331f77cb26b576ac0e
RMD160 (fetchmail-6.2.5.tar.gz) = e32b91a959d0e80c4bd45a8758811cbe95a98180
Size (fetchmail-6.2.5.tar.gz) = 1257376 bytes
SHA1 (fetchmail-6.2.5.5.tar.gz) = 119dc2d0f533541413b7951edec8ecf1c0308b1b
RMD160 (fetchmail-6.2.5.5.tar.gz) = f0d74e5e985973867944962c949e7e5d76f77b84
Size (fetchmail-6.2.5.5.tar.gz) = 1327784 bytes
SHA1 (patch-aa) = 3c8aaac5d53c1069995ab74ad99bc5e64843a507
SHA1 (patch-ab) = 009a97639502365f8b6ec4e854622620391a812f
SHA1 (patch-ac) = ef0e651807bb0942ca79ed3b10ffc000f71bd330
SHA1 (patch-ad) = b6bffc59f28992fa0d3de0f9dad250c73bbeffc6
SHA1 (patch-ae) = 3acbacee78ab2084a615b0c02b7f83e563bfc7ac
SHA1 (patch-af) = 06e7b84566b0d3ed50b56f88baf23f15ae21eb21
SHA1 (patch-ag) = e27a4769dc804bec71b449bed7ff318d15ae8bdf
SHA1 (patch-ae) = da3152bfd2e61d914d1f32c5eee6821aaef3e461
SHA1 (patch-ah) = d6d08403b241a3e1a891faadbb36b0cd00df1398
SHA1 (patch-ai) = 16449ab08c266936d80b8be11c93a3dd1ac5c2fe
SHA1 (patch-aj) = 1051c1eb754b9c9cffad2eab4561791975aebbe1
SHA1 (patch-ak) = d75b42146597a17a1ce91dddc7ed0821697d7ec2
SHA1 (patch-al) = 660df6275304a95b2bc7b98f71980a335677763e

File diff suppressed because it is too large Load diff

View file

@ -1,23 +0,0 @@
$NetBSD: patch-af,v 1.1 2002/04/06 16:53:02 frueauf Exp $
--- intl/Makefile.in-ori Sat Mar 16 16:18:38 2002
+++ intl/Makefile.in Mon Mar 25 21:54:08 2002
@@ -204,12 +204,12 @@
# The dependency for intlh.inst is different in gettext and all other
# packages. Because we cannot you GNU make features we have to solve
# the problem while rewriting Makefile.in.
-@GT_YES@intlh.inst: intlh.inst.in ../config.status
-@GT_YES@ cd .. \
-@GT_YES@ && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= \
-@GT_YES@ $(SHELL) ./config.status
-@GT_NO@.PHONY: intlh.inst
-@GT_NO@intlh.inst:
+intlh.inst: intlh.inst.in ../config.status
+ cd .. \
+ && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= \
+ $(SHELL) ./config.status
+#@GT_NO@.PHONY: intlh.inst
+#@GT_NO@intlh.inst:
# Tell versions [3.59,3.63) of GNU make not to export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

View file

@ -1,184 +0,0 @@
$NetBSD: patch-ag,v 1.3 2005/07/22 14:27:53 frueauf Exp $
This patch originates from
http://download.berlios.de/fetchmail/fetchmail-patch-6.2.5.2.gz
and upgrades fetchmail 6.2.5 to 6.2.5.2, which among other stuff fixes
CAN-2005-2355: buffer overflow in "fetchmail".
*** Makefile.in Wed Oct 15 22:38:18 2003
--- Makefile.in Fri Jul 22 01:55:44 2005
***************
*** 4,10 ****
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
! VERSION = 6.2.5
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
--- 4,10 ----
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
! VERSION = 6.2.5.2
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
*** NEWS Wed Oct 15 22:40:17 2003
--- NEWS Fri Jul 22 01:52:16 2005
***************
*** 2,7 ****
--- 2,20 ----
(The `lines' figures total .c, .h, .l, and .y files under version control.)
+ fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):
+
+ * NOTE: Due to a Makefile.in bug, you may need to use GNU make.
+ * SECURITY FIX: truncate UIDL replies, lest malicious or compromised
+ POP3 servers overflow fetchmail's stack. Debian bug #212762.
+ This is a remote root exploit. CVE Name: CAN-2005-2335.
+ Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
+ Thanks: Ludwig Nussel for a much simpler fix.
+ * Critical fix: omit blank between MAIL FROM: and <user@example.org>,
+ as this causes mail loss with some listeners.
+ * Fix: POP2 driver wouldn't properly check authentication failure.
+ * Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
+
fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
* Updated Spanish, Turkish, and German translation files.
*** driver.c Wed Oct 15 19:22:31 2003
--- driver.c Fri Jul 22 01:49:49 2005
***************
*** 429,436 ****
/* for POP3, we can get the size of one mail only! Unfortunately, this
* protocol specific test cannot be done elsewhere as the protocol
* could be "auto". */
! if (ctl->server.protocol == P_POP3)
fetchsizelimit = 1;
/* Time to allocate memory to store the sizes */
xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
--- 429,439 ----
/* for POP3, we can get the size of one mail only! Unfortunately, this
* protocol specific test cannot be done elsewhere as the protocol
* could be "auto". */
! switch (ctl->server.protocol)
! {
! case P_POP3: case P_APOP: case P_RPOP:
fetchsizelimit = 1;
+ }
/* Time to allocate memory to store the sizes */
xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
*** pop2.c Wed Oct 15 19:17:43 2003
--- pop2.c Fri Jul 22 01:47:28 2005
***************
*** 61,66 ****
--- 61,67 ----
"HELO %s %s",
ctl->remotename, ctl->password);
shroud[0] = '\0';
+ return status;
}
static int pop2_getrange(int sock, struct query *ctl, const char *folder,
*** pop3.c Wed Oct 15 19:22:31 2003
--- pop3.c Fri Jul 22 01:44:00 2005
***************
*** 613,618 ****
--- 613,620 ----
return 0;
}
+ #define str(s) #s
+ #define UIDLFMT(n) "%d %" str(n) "s"
static int pop3_getuidl( int sock, int num , char *id)
{
int ok;
***************
*** 620,626 ****
gen_send(sock, "UIDL %d", num);
if ((ok = pop3_ok(sock, buf)) != 0)
return(ok);
! if (sscanf(buf, "%d %s", &num, id) != 2)
return(PS_PROTOCOL);
return(PS_SUCCESS);
}
--- 622,628 ----
gen_send(sock, "UIDL %d", num);
if ((ok = pop3_ok(sock, buf)) != 0)
return(ok);
! if (sscanf(buf, UIDLFMT(IDLEN), &num, id) != 2)
return(PS_PROTOCOL);
return(PS_SUCCESS);
}
***************
*** 862,868 ****
{
if (DOTLINE(buf))
break;
! else if (sscanf(buf, "%d %s", &num, id) == 2)
{
struct idlist *old, *new;
--- 864,870 ----
{
if (DOTLINE(buf))
break;
! else if (sscanf(buf, UIDLFMT(IDLEN), &num, id) == 2)
{
struct idlist *old, *new;
*** sink.c Fri Oct 10 22:06:36 2003
--- sink.c Fri Jul 22 01:42:23 2005
***************
*** 724,730 ****
/* see the ap computation under the SMTP branch */
fprintf(sinkfp,
! "MAIL FROM: %s", (msg->return_path[0]) ? msg->return_path : user);
if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
fputs(" BODY=8BITMIME", sinkfp);
--- 724,730 ----
/* see the ap computation under the SMTP branch */
fprintf(sinkfp,
! "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user);
if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
fputs(" BODY=8BITMIME", sinkfp);
*** smtp.c Wed Aug 6 03:30:18 2003
--- smtp.c Fri Jul 22 01:42:23 2005
***************
*** 232,244 ****
int ok;
char buf[MSGBUFSIZE];
! if (strchr(from, '<'))
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
#else
sprintf(buf,
#endif /* HAVE_SNPRINTF */
! "MAIL FROM: %s", from);
else
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
--- 232,244 ----
int ok;
char buf[MSGBUFSIZE];
! if (from[0]=='<')
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
#else
sprintf(buf,
#endif /* HAVE_SNPRINTF */
! "MAIL FROM:%s", from);
else
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),

View file

@ -1,46 +0,0 @@
$NetBSD: patch-ak,v 1.1 2005/11/01 19:16:52 adrianp Exp $
--- fetchmailconf.orig 2003-10-15 20:22:31.000000000 +0100
+++ fetchmailconf 2005-10-21 14:48:02.000000000 +0100
@@ -4,7 +4,19 @@
# by Eric S. Raymond, <esr@snark.thyrsus.com>.
# Requires Python with Tkinter, and the following OS-dependent services:
# posix, posixpath, socket
-version = "1.43"
+#
+# Changes by Matthias Andree, in 2005:
+#
+# 1.43.1 - unsuccessful attempt to fix a password exposure bug
+#
+# thanks to Thomas Wolff and Miloslav Trmac for pointing
+# out the fix was insufficient
+#
+# 1.43.2 - fix password exposure bug, by restricting umask to 077
+# before opening the file
+# - record fetchmailconf version in output file
+#
+version = "1.43.2"
from Tkinter import *
from Dialog import *
@@ -858,14 +870,17 @@
# Pre-1.5.2 compatibility...
except os.error:
pass
+ old_umask = os.umask(077)
fm = open(self.outfile, 'w')
+ os.umask(old_umask)
if fm:
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
+ if fm != sys.stdout:
+ os.chmod(self.outfile, 0600)
+ fm.write("# Configuration created %s by fetchmailconf %s\n"
+ % (time.ctime(time.time()), version))
fm.write(`self.configuration`)
if self.outfile:
fm.close()
- if fm != sys.stdout:
- os.chmod(self.outfile, 0600)
self.destruct()
#

View file

@ -0,0 +1,13 @@
$NetBSD: patch-al,v 1.1 2005/12/20 14:27:53 frueauf Exp $
--- po/Makefile.in.in.orig 2005-12-20 15:18:52.000000000 +0100
+++ po/Makefile.in.in 2005-12-20 15:21:06.000000000 +0100
@@ -28,7 +28,7 @@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
-MKINSTALLDIRS = @MKINSTALLDIRS@
+MKINSTALLDIRS = ../@MKINSTALLDIRS@
mkinstalldirs = $(SHELL) $(MKINSTALLDIRS)
GMSGFMT = @GMSGFMT@