diff options
| author | triaxx <triaxx@pkgsrc.org> | 2021-08-28 05:21:19 +0000 |
|---|---|---|
| committer | triaxx <triaxx@pkgsrc.org> | 2021-08-28 05:21:19 +0000 |
| commit | 1230d88a70ea0fe275c0dde57d7099998c4b9548 (patch) | |
| tree | 82e4ac0b8e07d4e22494047065814f29f4604763 /mail/fetchmail | |
| parent | e7abf2f71e7fa02037354aa8cf19a1860c780cc0 (diff) | |
| download | pkgsrc-1230d88a70ea0fe275c0dde57d7099998c4b9548.tar.gz | |
fetchmail: Update to 6.4.21
upstream changes:
-----------------
fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
# REGRESSION FIX:
* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
messages logged to buffered outputs, predominantly --logfile.
This also caused lines in the logfile to run into one another because
the fragment containing the '\n' line-end character was usually lost.
Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
interface), the length of log message fragments was added up twice, so
that these ended too deep into a freshly allocated buffer, after the '\0'
byte. Unbuffered outputs flushed the fragments right away, which masked the
bug.
Reported by: Jürgen Edner, Erik Christiansen.
--------------------------------------------------------------------------------
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):
# SECURITY FIX:
* When a log message exceeds c. 2 kByte in size, for instance, with very long
header contents, and depending on verbosity option, fetchmail can crash or
misreport each first log message that requires a buffer reallocation.
fetchmail then reallocates memory and re-runs vsnprintf() without another
call to va_start(), so it reads garbage. The exact impact depends on
many factors around the compiler and operating system configurations used and
the implementation details of the stdarg.h interfaces of the two functions
mentioned before. To fix CVE-2021-36386.
Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany.
He also offered a patch, which I could not take for fetchmail 6.4 because
it required a C99 system and I'd promised earlier that 6.4 would remain
compatible with C89 systems.
Diffstat (limited to 'mail/fetchmail')
| -rw-r--r-- | mail/fetchmail/Makefile | 4 | ||||
| -rw-r--r-- | mail/fetchmail/distinfo | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile index 0bdc7baa095..44c5239b711 100644 --- a/mail/fetchmail/Makefile +++ b/mail/fetchmail/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.197 2021/05/25 11:59:47 triaxx Exp $ +# $NetBSD: Makefile,v 1.198 2021/08/28 05:21:19 triaxx Exp $ # Note to updaters: mail/fetchmailconf reaches over here, make sure it builds. -DISTNAME= fetchmail-6.4.19 +DISTNAME= fetchmail-6.4.21 CATEGORIES= mail MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=fetchmail/} EXTRACT_SUFX= .tar.xz diff --git a/mail/fetchmail/distinfo b/mail/fetchmail/distinfo index ff440f33bc2..5a36e16586b 100644 --- a/mail/fetchmail/distinfo +++ b/mail/fetchmail/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.58 2021/05/25 11:59:47 triaxx Exp $ +$NetBSD: distinfo,v 1.59 2021/08/28 05:21:19 triaxx Exp $ -SHA1 (fetchmail-6.4.19.tar.xz) = bb6959f0cf1f6d689c2ba3834c5bba72e4f9ec07 -RMD160 (fetchmail-6.4.19.tar.xz) = 97bdf84e6dce38d9fd7154e8cafba6a0b7fcd979 -SHA512 (fetchmail-6.4.19.tar.xz) = b10f0ac5b3b22f8b1d86367990fc96ea5c49dc21c873890c732c254c34503bd6ab9348c5ef88b99ba0f83f065fa9f9aead55de9721b0f296efa14eac0311daaf -Size (fetchmail-6.4.19.tar.xz) = 1316672 bytes +SHA1 (fetchmail-6.4.21.tar.xz) = a264c50256c2b42d2c7893f9efae7c9a29350786 +RMD160 (fetchmail-6.4.21.tar.xz) = c8c7e9ca1840e2f78a52b55a3db0eb10f35196a0 +SHA512 (fetchmail-6.4.21.tar.xz) = c9300f63c0e4073f199a9a7d9061774a7f88aad496b696cad96c0ee85107cae506461f0cd083903c60104b1e7654461213f3f759c1cdaffaf1c85fb1956faa67 +Size (fetchmail-6.4.21.tar.xz) = 1318996 bytes SHA1 (patch-Makefile.in) = 9cd2053a7c8bbbf6f71fcee03e33c0d29d235c4e SHA1 (patch-configure) = f5db59db380755d8b9fc8f75e723fd729ca06c30 SHA1 (patch-configure.ac) = 9ff885f7d40a749f628d35a8408b1860f8017362 |