Bug#787423: jessie-pu: package getmail4/4.46.0-1+debu8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#787423: jessie-pu: package getmail4/4.46.0-1+debu8u1
From: Osamu Aoki <osamu@debian.org>
Date: Tue, 2 Jun 2015 00:36:27 +0900
Message-id: <[🔎] 20150601153627.GA2145@goofy.local>
Reply-to: Osamu Aoki <osamu@debian.org>, 787423@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This is related to CVE-2013-1752: poplib: Limit maximum line lengths to
2048 of Python. https://bugs.python.org/issue16041 introduced in Python
2.7.9

With python version of jessie bumped at the last moment to 2.7.9 as:

| python-defaults (2.7.9-1) unstable; urgency=medium
| 
|   * Bump version to 2.7.9.
| 
|  -- Matthias Klose <doko@debian.org>  Mon, 16 Mar 2015 23:32:04 +0100

This caused surprises to programs using the poplib.

 See https://bugs.debian.org/782614 (for now it is important bug but
                                     really grave one)

At least, getmail upstream thinks this arbitual untested limit of 2048
bytes is stupid.  The getmail upstream thinks 1MB is reasonable value.

He has added following effectively 1 line patch with the latest
release. (uploaded to sid)

I would like to apply this to the jessie package since this cause normal
users to loose capability to retrieve mail.

--- getmail-4.47.0/getmailcore/_retrieverbases.py       2015-02-26 10:10:44.000000000 +0900
+++ getmail-4.48.0/getmailcore/_retrieverbases.py       2015-06-01 23:49:04.499564781 +0900
@@ -233,6 +233,15 @@
 # Constant for POPSSL
 POP3_SSL_PORT = 995
 
+
+# Python added poplib._MAXLINE somewhere along the way.  As far as I can
+# see, it serves no purpose except to introduce bugs into any software
+# using poplib.  Any computer running Python will have at least some megabytes
+# of userspace memory; arbitrarily causing message retrieval to break if any
+# "line" exceeds 2048 bytes is absolutely stupid.
+poplib._MAXLINE = 1 << 20   # 1MB; decrease this if you're running on a VIC-20
+
+
 #
 # Mix-in classes
 #

I am not going to change anything else. (4.46.0 and 4.47.0 are the same
for this part.)

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Prev by Date: Bug#787391: transition: evolution-data-server
Next by Date: Bug#785376: transition: nettle
Previous by thread: Re: Pre-approval request for stable upload of python-reportlab
Next by thread: Bug#787423: jessie-pu: package getmail4/4.46.0-1+debu8u1 with debdiff
Index(es):
- Date
- Thread