[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#787423: marked as done (jessie-pu: package getmail4/4.46.0-1+debu8u1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #787423,
regarding jessie-pu: package getmail4/4.46.0-1+debu8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
787423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787423
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This is related to CVE-2013-1752: poplib: Limit maximum line lengths to
2048 of Python. https://bugs.python.org/issue16041 introduced in Python
2.7.9

With python version of jessie bumped at the last moment to 2.7.9 as:

| python-defaults (2.7.9-1) unstable; urgency=medium
| 
|   * Bump version to 2.7.9.
| 
|  -- Matthias Klose <doko@debian.org>  Mon, 16 Mar 2015 23:32:04 +0100

This caused surprises to programs using the poplib.

 See https://bugs.debian.org/782614 (for now it is important bug but
                                     really grave one)

At least, getmail upstream thinks this arbitual untested limit of 2048
bytes is stupid.  The getmail upstream thinks 1MB is reasonable value.

He has added following effectively 1 line patch with the latest
release. (uploaded to sid)

I would like to apply this to the jessie package since this cause normal
users to loose capability to retrieve mail.

--- getmail-4.47.0/getmailcore/_retrieverbases.py       2015-02-26 10:10:44.000000000 +0900
+++ getmail-4.48.0/getmailcore/_retrieverbases.py       2015-06-01 23:49:04.499564781 +0900
@@ -233,6 +233,15 @@
 # Constant for POPSSL
 POP3_SSL_PORT = 995
 
+
+# Python added poplib._MAXLINE somewhere along the way.  As far as I can
+# see, it serves no purpose except to introduce bugs into any software
+# using poplib.  Any computer running Python will have at least some megabytes
+# of userspace memory; arbitrarily causing message retrieval to break if any
+# "line" exceeds 2048 bytes is absolutely stupid.
+poplib._MAXLINE = 1 << 20   # 1MB; decrease this if you're running on a VIC-20
+
+
 #
 # Mix-in classes
 #

I am not going to change anything else. (4.46.0 and 4.47.0 are the same
for this part.)

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: