summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortm <tm@pkgsrc.org>2021-10-17 16:41:33 +0000
committertm <tm@pkgsrc.org>2021-10-17 16:41:33 +0000
commiteb9969e33af3da9ba2f87e6195e44d1e759f064d (patch)
treee02b4c4693605c06651401897ea3ed37b847aa4e
parent3c411bcf59c8fb4ca458629b4026e06cf4ce2027 (diff)
downloadpkgsrc-eb9969e33af3da9ba2f87e6195e44d1e759f064d.tar.gz
Pullup ticket #6521 - requested by nia
mail/alpine: security fix Revisions pulled up: - mail/alpine/Makefile 1.48 - mail/alpine/distinfo 1.27 - mail/alpine/patches/patch-imap_src_mtest_mtest.c deleted --- Module Name: pkgsrc Committed By: nia Date: Sun Oct 17 09:49:10 UTC 2021 Modified Files: pkgsrc/mail/alpine: Makefile distinfo Removed Files: pkgsrc/mail/alpine/patches: patch-imap_src_mtest_mtest.c Log Message: alpine: Update to 2.25. pkgsrc changes and notes: - According to the release notes, this fixes CVE-2021-38370 by Damian Poddebniak. - I have added the maildir patch, as FreeBSD does, because it seems useful. - I have removed the non-trivial patch for OpenBSD, because going by OpenBSD's ports repository it's no longer necessary at all. Version 2.25 includes several new features and bug fixes. Additions include: * Unix Alpine: New configuration variable ssl-ciphers that allows users to list the ciphers to use when connecting to a SSL server. Based on a collaboration with Professor Martin Trusler. * New hidden feature enable-delete-before-writing to add support for terminals that need lines to be deleted before being written. Based on a collaboration with Professor Martin Trusler. * Experimental: The instruction to remove the double quotes from the processing of customized headers existed in pine, but it was removed in alpine. Restoring old Alpine behavior. See this * Add the capability to record http debug. This is necessary to debug XOAUTH2 authentication, and records sensitive login information. Do not share your debug file if you use this form of debug. * Remove the ability to choose between the device and authorize methods to login to outlook, since the original client-id can only be used for the device method. One needs a special client-id and client-secret to use the authorize method in Outlook. * PC-Alpine only: Some service providers produce access tokens that are too long to save in the Windows Credentials, so the access tokens will be split and saved as several pieces. This means that old versions of Alpine will NOT be able to use saved passwords once this new version of Alpine is used. * PC-Alpine: Debug files used to be created with extension .txt1, .txt2, etc. Rename those files so that they have extension .txt. * Always follow **suppress-asterisks-in-password-prompt** setting in the various password prompts. Submitted by tienne Deparis. * Use 'alpine -F' instead of 'pine -F' as the browser default pager. Submitted by tienne Deparis. * Introduction of OTHER CMDS menu for the browser/pilot to let people discover the two new commands: "1" is a toggle that switches between 1 column and multicolumn mode. The "." command toggles between hiding or showing hidden files, and the "G" command to travel between directories. Contributed by tienne Deparis. * Add option -xoauth2-flow to the command line, so that users can specify the parameters to set up an xoauth2 connection through the command line. * Alpine deletes, from its internal memory and external cache, passwords that do not work, even if they were saved by the user. * New format for saving passwords in the windows credential manager for PC-Alpine. Upon starting this new version of Alpine the passwords saved in the credential manager are converted to the new format and they will not be recognized by old versions of Alpine, but only by this and newer versions of Alpine. * Enabled encryption protocols in PC-Alpine are based on those enabled in the system, unless one is specified directly. Bugs that have been addressed include: * The c-client library parses information from an IMAP server during non-authenticated state which could lead to denial of service. Reported by Damian Poddebniak from Mnster University of Applied Sciences. * Memory corruption when alpine searches for a string that is an incomplete utf8 string in a local folder. This could happen by chopping a string to make it fit a buffer without regard to its content. We fix the string so that chopping it does not damage it. Reported by Andrew. * Crash in the ntlm authenticator when the user name does not include a domain. Reported and fixed by Anders Skargren. * When forwarding a message, replacing an attachment might make Alpine re-attach the original attachment. Reported by Michael Traxler. * When an attachment is deleted, the saved message with the deleted attachment contains extra null characters after the end of the attachment boundary. * Tcp and http debug information is not printed unless the default debug level is set to 1. Print this if requested, regardless of what the default debug level is. * When trying to select a folder for saving a message, one can only enter a subfolder by pressing the ">" command, rather than the normal navigation by pressing "Return". Reported by Ulf-Dietrich Braunmann. * Crash when attempting to remove a configuration for a XOAUTH2 server that has no usernames configured. * Crash caused by saving (and resaving) XOAUTH2 refresh and access tokens in PC-Alpine. Reported by Karl Lindauer.
Diffstat
-rw-r--r--mail/alpine/Makefile18
-rw-r--r--mail/alpine/distinfo15
-rw-r--r--mail/alpine/patches/patch-imap_src_mtest_mtest.c216
3 files changed, 21 insertions, 228 deletions
diff --git a/mail/alpine/Makefile b/mail/alpine/Makefile
index 1594d1a882b..138e85c6145 100644
--- a/mail/alpine/Makefile
+++ b/mail/alpine/Makefile
@@ -1,16 +1,24 @@
-# $NetBSD: Makefile,v 1.47 2020/11/23 16:36:03 bsiegert Exp $
+# $NetBSD: Makefile,v 1.47.8.1 2021/10/17 16:41:33 tm Exp $
-DISTNAME= alpine-2.24
+DISTNAME= alpine-2.25
CATEGORIES= mail
MASTER_SITES= http://alpine.x10host.com/alpine/release/src/
+DIST_SUBDIR= ${DISTNAME}
EXTRACT_SUFX= .tar.xz
+PATCH_SITES= https://alpine.x10host.com/alpine/patches/alpine-${PKGVERSION_NOREV}/
+PATCHFILES+= maildir.patch.gz
+PATCH_DIST_STRIP= -p1
+
MAINTAINER= pkgsrc-users@NetBSD.org
-#HOMEPAGE= http://patches.freeiz.com/alpine/release/
+HOMEPAGE= http://alpine.x10host.com/index.html
COMMENT= Program for Internet News and E-mail
LICENSE= apache-2.0
-GNU_CONFIGURE= yes
+GNU_CONFIGURE= yes
+USE_TOOLS+= msgfmt msgmerge xgettext
+USE_LIBTOOL= yes
+
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE}
CONFIGURE_ARGS+= --with-ssl-certs-dir=${SSLCERTS:Q}
CONFIGURE_ARGS+= --with-ssl-include-dir=${SSLBASE}/include
@@ -21,8 +29,6 @@ CONFIGURE_ARGS+= --with-passfile=.pine-passfile
# disabled, for Web Alpine Support
CONFIGURE_ARGS+= --without-tcl
-USE_LIBTOOL= yes
-
MAKE_JOBS_SAFE= no
INSTALLATION_DIRS= bin ${PKGMANDIR}/man1
diff --git a/mail/alpine/distinfo b/mail/alpine/distinfo
index 1e539de8a3f..8d33e54d580 100644
--- a/mail/alpine/distinfo
+++ b/mail/alpine/distinfo
@@ -1,10 +1,13 @@
-$NetBSD: distinfo,v 1.25 2020/11/23 16:36:03 bsiegert Exp $
+$NetBSD: distinfo,v 1.25.8.1 2021/10/17 16:41:33 tm Exp $
-SHA1 (alpine-2.24.tar.xz) = 42f2936935699686276bc6ab9e510eff7376a3dd
-RMD160 (alpine-2.24.tar.xz) = 1612ff9edfdd66a0ef145f338fa9db26177360e0
-SHA512 (alpine-2.24.tar.xz) = 642a51f73732ebdf7c40e2b66370aa2f48fb13b349b477871b26295c3e8b860a0cc78dec9f80efc6ea74c548a080ceff04181eb18c35a9c8cae8d8ef831178c5
-Size (alpine-2.24.tar.xz) = 7341676 bytes
+SHA1 (alpine-2.25/alpine-2.25.tar.xz) = 7f8ab772c1898284d0aa1825c3e18eee72547486
+RMD160 (alpine-2.25/alpine-2.25.tar.xz) = 3035891df0de21d15adc0b1665fcb4127b9b5ffd
+SHA512 (alpine-2.25/alpine-2.25.tar.xz) = 76c214cf66f4ac7af3de40357ad3a592ff2a119e327e5f6c256125b7865d46b09197435fe6ac8077ab7a498e4821925939f3f902431ca77baa786e149466a193
+Size (alpine-2.25/alpine-2.25.tar.xz) = 7495372 bytes
+SHA1 (alpine-2.25/maildir.patch.gz) = d7709751b57bc8f0cf7212452c61e82e715744a4
+RMD160 (alpine-2.25/maildir.patch.gz) = 5c402d391c399763fcf5714cfa7cca7cfbd65964
+SHA512 (alpine-2.25/maildir.patch.gz) = eea454796cab4e96b83869e880fe17d20799bf3a606712367f42deb0f3870b30f620fc77c307e40303ffc8492e828bb7772965b21614b2c27d4fc972f18ff346
+Size (alpine-2.25/maildir.patch.gz) = 34758 bytes
SHA1 (patch-imap_src_c-client_auth_gss.c) = e6da9ee9dbe0751872d1400237a030112eaa56c6
-SHA1 (patch-imap_src_mtest_mtest.c) = 8c5282047e165fee4b6fe74c230e41d63d3cdc69
SHA1 (patch-imap_src_osdep_unix_Makefile.gss) = ca09bc26a139c68afe8ac1f99be54bd1fc0e77f0
SHA1 (patch-imap_src_osdep_unix_kerb_mit.c) = c77d5ee1e8aee30811c2df0562caa375ed270c0e
diff --git a/mail/alpine/patches/patch-imap_src_mtest_mtest.c b/mail/alpine/patches/patch-imap_src_mtest_mtest.c
deleted file mode 100644
index ec82381d148..00000000000
--- a/mail/alpine/patches/patch-imap_src_mtest_mtest.c
+++ /dev/null
@@ -1,216 +0,0 @@
-$NetBSD: patch-imap_src_mtest_mtest.c,v 1.3 2018/07/24 12:39:36 bsiegert Exp $
-
-- patch up buffer handling (required to build on openbsd)
-
---- imap/src/mtest/mtest.c.orig 2017-02-06 00:06:22.499218141 +0000
-+++ imap/src/mtest/mtest.c
-@@ -151,6 +151,7 @@ void mm (MAILSTREAM *stream,long debug)
- void *sdb = NIL;
- char cmd[MAILTMPLEN],tmp[MAILTMPLEN];
- char *s, *arg;
-+ size_t argmax;
- unsigned long i;
- unsigned long last = 0;
- BODY *body;
-@@ -158,7 +159,9 @@ void mm (MAILSTREAM *stream,long debug)
- while (stream) {
- prompt ("MTest> ",cmd, sizeof(cmd)); /* prompt user, get command */
- /* get argument */
-- if ((arg = strchr (cmd,' ')) != NULL) *arg++ = '\0';
-+ if (arg)
-+ argmax = sizeof(cmd) - (arg - cmd);
-+
- switch (*ucase (cmd)) { /* dispatch based on command */
- case 'B': /* Body command */
- if (arg) last = atoi (arg);
-@@ -185,7 +188,8 @@ void mm (MAILSTREAM *stream,long debug)
- break;
- }
- arg = cmd;
-- sprintf (arg,"%lu",last);
-+ argmax = sizeof(cmd);
-+ snprintf (arg, argmax, "%lu",last);
- }
- if (last && (last <= stream->nmsgs))
- mail_setflag (stream,arg,"\\DELETED");
-@@ -198,6 +202,7 @@ void mm (MAILSTREAM *stream,long debug)
- case 'F': /* Find command */
- if (!arg) {
- arg = "%";
-+ argmax = 0;
- if ((s = sm_read (tmp,&sdb)) != NULL) {
- puts ("Local network subscribed mailboxes:");
- do if (*s == '{') (mm_lsub (NIL,NIL,s,NIL));
-@@ -251,7 +256,7 @@ void mm (MAILSTREAM *stream,long debug)
- }
- /* get the new mailbox */
- while (!(stream = mail_open (stream,arg,debug))) {
-- prompt ("Mailbox: ",arg, sizeof(arg));
-+ prompt ("Mailbox: ",arg, argmax);
- if (!arg[0]) break;
- }
- last = 0;
-@@ -323,7 +328,8 @@ void mm (MAILSTREAM *stream,long debug)
- break;
- }
- arg = cmd;
-- sprintf (arg,"%lu",last);
-+ argmax = sizeof(cmd);
-+ snprintf (arg, argmax, "%lu",last);
- }
- if (last > 0 && last <= stream->nmsgs)
- mail_clearflag (stream,arg,"\\DELETED");
-@@ -384,7 +390,7 @@ void overview_header (MAILSTREAM *stream
- tmp[3] = elt->answered ? 'A' : ' ';
- tmp[4] = elt->deleted ? 'D' : ' ';
- mail_parse_date (&selt,ov->date);
-- sprintf (tmp+5,"%4lu) ",elt->msgno);
-+ snprintf (tmp+5, sizeof(tmp)-5, "%4lu) ",elt->msgno);
- mail_date (tmp+11,&selt);
- tmp[17] = ' ';
- tmp[18] = '\0';
-@@ -394,11 +400,12 @@ void overview_header (MAILSTREAM *stream
- for (adr = ov->from; adr && !adr->host; adr = adr->next);
- if (adr) { /* if a personal name exists use it */
- if (!(t = adr->personal))
-- sprintf (t = tmp+400,"%s@%s",adr->mailbox,adr->host);
-+ snprintf (t = tmp+400, sizeof(tmp)-400, "%s@%s",adr->mailbox,adr->host);
- memcpy (tmp+18,t,(size_t) min (20,(long) strlen (t)));
- }
- strcat (tmp," ");
- if ((i = elt->user_flags) != 0L) {
-+ /* XXX bounds? */
- strcat (tmp,"{");
- while (i) {
- strcat (tmp,stream->user_flags[find_rightmost_bit (&i)]);
-@@ -406,7 +413,7 @@ void overview_header (MAILSTREAM *stream
- }
- strcat (tmp,"} ");
- }
-- sprintf (tmp + strlen (tmp),"%.25s (%lu chars)",
-+ snprintf (tmp + strlen (tmp), 400 - strlen(tmp), "%.25s (%lu chars)",
- ov->subject ? ov->subject : " ",ov->optional.octets);
- puts (tmp);
- }
-@@ -423,6 +430,7 @@ void header (MAILSTREAM *stream,long msg
- unsigned long i;
- char tmp[MAILTMPLEN];
- char *t;
-+ size_t len;
- MESSAGECACHE *cache = mail_elt (stream,msgno);
- mail_fetchstructure (stream,msgno,NIL);
- tmp[0] = cache->recent ? (cache->seen ? 'R': 'N') : ' ';
-@@ -430,7 +438,7 @@ void header (MAILSTREAM *stream,long msg
- tmp[2] = cache->flagged ? 'F' : ' ';
- tmp[3] = cache->answered ? 'A' : ' ';
- tmp[4] = cache->deleted ? 'D' : ' ';
-- sprintf (tmp+5,"%4lu) ",cache->msgno);
-+ snprintf (tmp+5, sizeof(tmp)-5, "%4lu) ",cache->msgno);
- mail_date (tmp+11,cache);
- tmp[17] = ' ';
- tmp[18] = '\0';
-@@ -445,7 +453,9 @@ void header (MAILSTREAM *stream,long msg
- strcat (tmp,"} ");
- }
- mail_fetchsubject (t = tmp + strlen (tmp),stream,msgno,(long) 25);
-- sprintf (t += strlen (t)," (%lu chars)",cache->rfc822_size);
-+ len = strlen (t);
-+ t += len;
-+ snprintf (t, sizeof(tmp)-len, " (%lu chars)",cache->rfc822_size);
- puts (tmp);
- }
-
-@@ -459,31 +469,57 @@ void display_body (BODY *body,char *pfx,
- {
- char tmp[MAILTMPLEN];
- char *s = tmp;
-+ size_t len, smax = sizeof(tmp);
- PARAMETER *par;
- PART *part; /* multipart doesn't have a row to itself */
- if (body->type == TYPEMULTIPART) {
- /* if not first time, extend prefix */
-- if (pfx) sprintf (tmp,"%s%ld.",pfx,++i);
-+ if (pfx) snprintf (tmp, sizeof(tmp), "%s%ld.",pfx,++i);
- else tmp[0] = '\0';
- for (i = 0,part = body->nested.part; part; part = part->next)
- display_body (&part->body,tmp,i++);
- }
- else { /* non-multipart, output oneline descriptor */
- if (!pfx) pfx = ""; /* dummy prefix if top level */
-- sprintf (s," %s%ld %s",pfx,++i,body_types[body->type]);
-- if (body->subtype) sprintf (s += strlen (s),"/%s",body->subtype);
-- if (body->description) sprintf (s += strlen (s)," (%s)",body->description);
-- if ((par = body->parameter) != NULL) do
-- sprintf (s += strlen (s),";%s=%s",par->attribute,par->value);
-+ snprintf (s, smax, " %s%ld %s",pfx,++i,body_types[body->type]);
-+ if (body->subtype) {
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, "/%s",body->subtype);
-+ }
-+ if (body->description) {
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, " (%s)",body->description);
-+ }
-+ if (par = body->parameter) do {
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, ";%s=%s",par->attribute,par->value);
-+ }
- while ((par = par->next) != NULL);
-- if (body->id) sprintf (s += strlen (s),", id = %s",body->id);
-+ if (body->id) {
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, ", id = %s",body->id);
-+ }
- switch (body->type) { /* bytes or lines depending upon body type */
- case TYPEMESSAGE: /* encapsulated message */
- case TYPETEXT: /* plain text */
-- sprintf (s += strlen (s)," (%lu lines)",body->size.lines);
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, " (%lu lines)",body->size.lines);
- break;
- default:
-- sprintf (s += strlen (s)," (%lu bytes)",body->size.bytes);
-+ len = strlen(s);
-+ s += len;
-+ smax -= len;
-+ snprintf (s, smax, " (%lu bytes)",body->size.bytes);
- break;
- }
- puts (tmp); /* output this line */
-@@ -492,7 +528,7 @@ void display_body (BODY *body,char *pfx,
- (body = body->nested.msg->body)) {
- if (body->type == TYPEMULTIPART) display_body (body,pfx,i-1);
- else { /* build encapsulation prefix */
-- sprintf (tmp,"%s%ld.",pfx,i);
-+ snprintf (tmp, sizeof(tmp), "%s%ld.",pfx,i);
- display_body (body,tmp,(long) 0);
- }
- }
-@@ -711,10 +747,13 @@ void mm_login (NETMBX *mb,char *user,cha
- if (curhst) fs_give ((void **) &curhst);
- curhst = (char *) fs_get (1+strlen (mb->host));
- strcpy (curhst,mb->host);
-- sprintf (s = tmp,"{%s/%s",mb->host,mb->service);
-- if (*mb->user) sprintf (tmp+strlen (tmp),"/user=%s",strcpy (user,mb->user));
-- if (*mb->authuser) sprintf (tmp+strlen (tmp),"/authuser=%s",mb->authuser);
-- if (*mb->user) strcat (s = tmp,"} password:");
-+ snprintf (s = tmp, sizeof(tmp), "{%s/%s",mb->host,mb->service);
-+ if (*mb->user) snprintf (tmp+strlen (tmp), sizeof(tmp)-strlen(tmp), "/user=%s",strcpy (user,mb->user));
-+ if (*mb->authuser) snprintf (tmp+strlen (tmp), sizeof(tmp)-strlen(tmp), "/authuser=%s",mb->authuser);
-+ if (*mb->user) {
-+ s = tmp;
-+ snprintf(tmp+strlen(tmp), sizeof(tmp)-strlen(tmp), "%s", "} password:");
-+ }
- else {
- printf ("%s} username: ",tmp);
- fgets (user,NETMAXUSER-1,stdin);
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-21 22:42:59 +0000