1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
$NetBSD: patch-ag,v 1.3 2005/07/22 14:27:53 frueauf Exp $
This patch originates from
http://download.berlios.de/fetchmail/fetchmail-patch-6.2.5.2.gz
and upgrades fetchmail 6.2.5 to 6.2.5.2, which among other stuff fixes
CAN-2005-2355: buffer overflow in "fetchmail".
*** Makefile.in Wed Oct 15 22:38:18 2003
--- Makefile.in Fri Jul 22 01:55:44 2005
***************
*** 4,10 ****
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
! VERSION = 6.2.5
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
--- 4,10 ----
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
! VERSION = 6.2.5.2
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
*** NEWS Wed Oct 15 22:40:17 2003
--- NEWS Fri Jul 22 01:52:16 2005
***************
*** 2,7 ****
--- 2,20 ----
(The `lines' figures total .c, .h, .l, and .y files under version control.)
+ fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):
+
+ * NOTE: Due to a Makefile.in bug, you may need to use GNU make.
+ * SECURITY FIX: truncate UIDL replies, lest malicious or compromised
+ POP3 servers overflow fetchmail's stack. Debian bug #212762.
+ This is a remote root exploit. CVE Name: CAN-2005-2335.
+ Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
+ Thanks: Ludwig Nussel for a much simpler fix.
+ * Critical fix: omit blank between MAIL FROM: and <user@example.org>,
+ as this causes mail loss with some listeners.
+ * Fix: POP2 driver wouldn't properly check authentication failure.
+ * Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
+
fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
* Updated Spanish, Turkish, and German translation files.
*** driver.c Wed Oct 15 19:22:31 2003
--- driver.c Fri Jul 22 01:49:49 2005
***************
*** 429,436 ****
/* for POP3, we can get the size of one mail only! Unfortunately, this
* protocol specific test cannot be done elsewhere as the protocol
* could be "auto". */
! if (ctl->server.protocol == P_POP3)
fetchsizelimit = 1;
/* Time to allocate memory to store the sizes */
xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
--- 429,439 ----
/* for POP3, we can get the size of one mail only! Unfortunately, this
* protocol specific test cannot be done elsewhere as the protocol
* could be "auto". */
! switch (ctl->server.protocol)
! {
! case P_POP3: case P_APOP: case P_RPOP:
fetchsizelimit = 1;
+ }
/* Time to allocate memory to store the sizes */
xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);
*** pop2.c Wed Oct 15 19:17:43 2003
--- pop2.c Fri Jul 22 01:47:28 2005
***************
*** 61,66 ****
--- 61,67 ----
"HELO %s %s",
ctl->remotename, ctl->password);
shroud[0] = '\0';
+ return status;
}
static int pop2_getrange(int sock, struct query *ctl, const char *folder,
*** pop3.c Wed Oct 15 19:22:31 2003
--- pop3.c Fri Jul 22 01:44:00 2005
***************
*** 613,618 ****
--- 613,620 ----
return 0;
}
+ #define str(s) #s
+ #define UIDLFMT(n) "%d %" str(n) "s"
static int pop3_getuidl( int sock, int num , char *id)
{
int ok;
***************
*** 620,626 ****
gen_send(sock, "UIDL %d", num);
if ((ok = pop3_ok(sock, buf)) != 0)
return(ok);
! if (sscanf(buf, "%d %s", &num, id) != 2)
return(PS_PROTOCOL);
return(PS_SUCCESS);
}
--- 622,628 ----
gen_send(sock, "UIDL %d", num);
if ((ok = pop3_ok(sock, buf)) != 0)
return(ok);
! if (sscanf(buf, UIDLFMT(IDLEN), &num, id) != 2)
return(PS_PROTOCOL);
return(PS_SUCCESS);
}
***************
*** 862,868 ****
{
if (DOTLINE(buf))
break;
! else if (sscanf(buf, "%d %s", &num, id) == 2)
{
struct idlist *old, *new;
--- 864,870 ----
{
if (DOTLINE(buf))
break;
! else if (sscanf(buf, UIDLFMT(IDLEN), &num, id) == 2)
{
struct idlist *old, *new;
*** sink.c Fri Oct 10 22:06:36 2003
--- sink.c Fri Jul 22 01:42:23 2005
***************
*** 724,730 ****
/* see the ap computation under the SMTP branch */
fprintf(sinkfp,
! "MAIL FROM: %s", (msg->return_path[0]) ? msg->return_path : user);
if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
fputs(" BODY=8BITMIME", sinkfp);
--- 724,730 ----
/* see the ap computation under the SMTP branch */
fprintf(sinkfp,
! "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user);
if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
fputs(" BODY=8BITMIME", sinkfp);
*** smtp.c Wed Aug 6 03:30:18 2003
--- smtp.c Fri Jul 22 01:42:23 2005
***************
*** 232,244 ****
int ok;
char buf[MSGBUFSIZE];
! if (strchr(from, '<'))
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
#else
sprintf(buf,
#endif /* HAVE_SNPRINTF */
! "MAIL FROM: %s", from);
else
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
--- 232,244 ----
int ok;
char buf[MSGBUFSIZE];
! if (from[0]=='<')
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
#else
sprintf(buf,
#endif /* HAVE_SNPRINTF */
! "MAIL FROM:%s", from);
else
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
|
