[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992054: marked as done (unblock: fetchmail/6.4.16-5)

Your message dated Tue, 10 Aug 2021 12:45:04 +0200
with message-id <3e0763b6-1665-c800-218c-80214c11d57c@debian.org>
and subject line Re: Bug#992054: unblock: fetchmail/6.4.16-5
has caused the Debian Bug report #992054,
regarding unblock: fetchmail/6.4.16-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992054
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi RMs,

I would like to ask for unblocking fetchmail, fixing a regression in
its last security fix. This is a one liner, moving down an 'endif'.

[ Reason ]
partial_message_size_used was double incremented and messages got
truncated (the size limit reached much sooner).

[ Impact ]
Normal logging in all cases.

[ Tests ]
Local tests. Built on all architectures, piuparts are OK. But
autopkgtests are still running for arm64 and are already OK for all
other architectures.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock fetchmail/6.4.16-5

Thanks for consideration,
Laszlo/GCS

diff -Nru fetchmail-6.4.16/debian/changelog fetchmail-6.4.16/debian/changelog
--- fetchmail-6.4.16/debian/changelog	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/changelog	2021-08-09 20:06:48.000000000 +0200
@@ -1,3 +1,10 @@
+fetchmail (6.4.16-5) unstable; urgency=medium
+
+  * Backport upstream regression fix for 6.4.20's security (CVE-2021-36386)
+    fix.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 09 Aug 2021 20:06:48 +0200
+
 fetchmail (6.4.16-4) unstable; urgency=high
 
   * Backport upstream security fix for CVE-2021-36386: denial of service or
diff -Nru fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch
--- fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	2021-08-09 20:06:48.000000000 +0200
@@ -0,0 +1,76 @@
+From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Mon, 9 Aug 2021 17:42:29 +0200
+Subject: [PATCH] Fix --logfile and message truncation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Regression in 6.4.20's security fix (Git commit c546c829).
+
+We doubly incremented partial_message_size_used on modern systems
+(stdard.h/vsnprintf), once in report_vbuild() and then again in
+report_build(), so the 2nd and subsequent report_build() fragments
+landed too late in the buffer.  This will not cause overruns due to the
+reallocation prior to the vsnprintf/sprintf, but it write starts behind
+the '\0' byte, instead of right over it, so the string also gets
+truncated to the first fragment written with report_vbuild().
+
+Fix by moving the increment back into the #else...#endif part that does
+not use report_vbuild().
+
+Reported by: Jürgen Edner, Erik Christiansen
+---
+ NEWS     | 18 ++++++++++++++++++
+ report.c |  3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 0cd3f968..b98f15d2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,24 @@ removed from a 6.5.0 or newer release.)
+   for end-of-life OpenSSL versions may be removed even from patchlevel releases.
+ 
+ --------------------------------------------------------------------------------
++fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
++
++# REGRESSION FIX:
++* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
++  messages logged to buffered outputs, predominantly --logfile.
++
++  This also caused lines in the logfile to run into one another because
++  the fragment containing the '\n' line-end character was usually lost.
++
++  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
++  interface), the length of log message fragments was added up twice, so
++  that these ended too deep into a freshly allocated buffer, after the '\0'
++  byte.  Unbuffered outputs flushed the fragments right away, which masked the
++  bug.
++
++  Reported by: Jürgen Edner, Erik Christiansen.
++
++--------------------------------------------------------------------------------
+ fetchmail-6.4.20 (not yet released):
+ 
+ # SECURITY FIX:
+diff --git a/report.c b/report.c
+index aea6b3ea..2db7d0a9 100644
+--- a/report.c
++++ b/report.c
+@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
+     n = snprintf (partial_message + partial_message_size_used,
+ 		    partial_message_size - partial_message_size_used,
+ 		    message, a1, a2, a3, a4, a5, a6, a7, a8);
+-#endif
+ 
+     if (n > 0) partial_message_size_used += n;
+ 
++#endif
++
+     if (unbuffered && partial_message_size_used != 0)
+     {
+ 	partial_message_size_used = 0;
+-- 
+GitLab
+
diff -Nru fetchmail-6.4.16/debian/patches/series fetchmail-6.4.16/debian/patches/series
--- fetchmail-6.4.16/debian/patches/series	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/patches/series	2021-08-09 20:06:48.000000000 +0200
@@ -5,3 +5,4 @@
 09_fix_memory_leak_in_timeout_situation.patch
 10_update_manpage.patch
 11_fix_CVE-2021-38386.patch
+12_fix_logfile_and_message_truncation_issue.patch

--- End Message ---
--- Begin Message --- 
Hi László,

On 10-08-2021 08:43, László Böszörményi (GCS) wrote:
> I would like to ask for unblocking fetchmail, fixing a regression in
> its last security fix. This is a one liner, moving down an 'endif'.

bullseye if frozen [1] except for emergency uploads.

[1] https://lists.debian.org/debian-devel-announce/2021/07/msg00003.html

> [ Reason ]
> partial_message_size_used was double incremented and messages got
> truncated (the size limit reached much sooner).

This doesn't sound like "emergency", agree? I suggest you prepare a
point release update.

> Local tests. Built on all architectures, piuparts are OK. But
> autopkgtests are still running for arm64 and are already OK for all
> other architectures.

arm64 results may take some while as our ci.d.n host are blocked behind
the non-functional shim update.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: