Your message dated Tue, 10 Aug 2021 12:45:04 +0200 with message-id <3e0763b6-1665-c800-218c-80214c11d57c@debian.org> and subject line Re: Bug#992054: unblock: fetchmail/6.4.16-5 has caused the Debian Bug report #992054, regarding unblock: fetchmail/6.4.16-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 992054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992054 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: fetchmail/6.4.16-5
- From: László Böszörményi (GCS) <gcs@debian.org>
- Date: Tue, 10 Aug 2021 08:43:22 +0200
- Message-id: <[🔎] CAKjSHr2mGzM5wDXcZD+kgB3Z-s16JxOWr0A0hCERXkh6T7SFUg@mail.gmail.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi RMs, I would like to ask for unblocking fetchmail, fixing a regression in its last security fix. This is a one liner, moving down an 'endif'. [ Reason ] partial_message_size_used was double incremented and messages got truncated (the size limit reached much sooner). [ Impact ] Normal logging in all cases. [ Tests ] Local tests. Built on all architectures, piuparts are OK. But autopkgtests are still running for arm64 and are already OK for all other architectures. [ Risks ] None. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock fetchmail/6.4.16-5 Thanks for consideration, Laszlo/GCSdiff -Nru fetchmail-6.4.16/debian/changelog fetchmail-6.4.16/debian/changelog --- fetchmail-6.4.16/debian/changelog 2021-07-29 00:18:56.000000000 +0200 +++ fetchmail-6.4.16/debian/changelog 2021-08-09 20:06:48.000000000 +0200 @@ -1,3 +1,10 @@ +fetchmail (6.4.16-5) unstable; urgency=medium + + * Backport upstream regression fix for 6.4.20's security (CVE-2021-36386) + fix. + + -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 09 Aug 2021 20:06:48 +0200 + fetchmail (6.4.16-4) unstable; urgency=high * Backport upstream security fix for CVE-2021-36386: denial of service or diff -Nru fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch --- fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch 1970-01-01 01:00:00.000000000 +0100 +++ fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch 2021-08-09 20:06:48.000000000 +0200 @@ -0,0 +1,76 @@ +From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001 +From: Matthias Andree <matthias.andree@gmx.de> +Date: Mon, 9 Aug 2021 17:42:29 +0200 +Subject: [PATCH] Fix --logfile and message truncation issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Regression in 6.4.20's security fix (Git commit c546c829). + +We doubly incremented partial_message_size_used on modern systems +(stdard.h/vsnprintf), once in report_vbuild() and then again in +report_build(), so the 2nd and subsequent report_build() fragments +landed too late in the buffer. This will not cause overruns due to the +reallocation prior to the vsnprintf/sprintf, but it write starts behind +the '\0' byte, instead of right over it, so the string also gets +truncated to the first fragment written with report_vbuild(). + +Fix by moving the increment back into the #else...#endif part that does +not use report_vbuild(). + +Reported by: Jürgen Edner, Erik Christiansen +--- + NEWS | 18 ++++++++++++++++++ + report.c | 3 ++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 0cd3f968..b98f15d2 100644 +--- a/NEWS ++++ b/NEWS +@@ -64,6 +64,24 @@ removed from a 6.5.0 or newer release.) + for end-of-life OpenSSL versions may be removed even from patchlevel releases. + + -------------------------------------------------------------------------------- ++fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): ++ ++# REGRESSION FIX: ++* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of ++ messages logged to buffered outputs, predominantly --logfile. ++ ++ This also caused lines in the logfile to run into one another because ++ the fragment containing the '\n' line-end character was usually lost. ++ ++ Reason is that on all modern systems (with <stdarg.h> header and vsnprintf() ++ interface), the length of log message fragments was added up twice, so ++ that these ended too deep into a freshly allocated buffer, after the '\0' ++ byte. Unbuffered outputs flushed the fragments right away, which masked the ++ bug. ++ ++ Reported by: Jürgen Edner, Erik Christiansen. ++ ++-------------------------------------------------------------------------------- + fetchmail-6.4.20 (not yet released): + + # SECURITY FIX: +diff --git a/report.c b/report.c +index aea6b3ea..2db7d0a9 100644 +--- a/report.c ++++ b/report.c +@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist) + n = snprintf (partial_message + partial_message_size_used, + partial_message_size - partial_message_size_used, + message, a1, a2, a3, a4, a5, a6, a7, a8); +-#endif + + if (n > 0) partial_message_size_used += n; + ++#endif ++ + if (unbuffered && partial_message_size_used != 0) + { + partial_message_size_used = 0; +-- +GitLab + diff -Nru fetchmail-6.4.16/debian/patches/series fetchmail-6.4.16/debian/patches/series --- fetchmail-6.4.16/debian/patches/series 2021-07-29 00:18:56.000000000 +0200 +++ fetchmail-6.4.16/debian/patches/series 2021-08-09 20:06:48.000000000 +0200 @@ -5,3 +5,4 @@ 09_fix_memory_leak_in_timeout_situation.patch 10_update_manpage.patch 11_fix_CVE-2021-38386.patch +12_fix_logfile_and_message_truncation_issue.patch
--- End Message ---
--- Begin Message ---
- To: László Böszörményi (GCS) <gcs@debian.org>, 992054-done@bugs.debian.org
- Subject: Re: Bug#992054: unblock: fetchmail/6.4.16-5
- From: Paul Gevers <elbrus@debian.org>
- Date: Tue, 10 Aug 2021 12:45:04 +0200
- Message-id: <3e0763b6-1665-c800-218c-80214c11d57c@debian.org>
- In-reply-to: <[🔎] CAKjSHr2mGzM5wDXcZD+kgB3Z-s16JxOWr0A0hCERXkh6T7SFUg@mail.gmail.com>
- References: <[🔎] CAKjSHr2mGzM5wDXcZD+kgB3Z-s16JxOWr0A0hCERXkh6T7SFUg@mail.gmail.com>
Hi László, On 10-08-2021 08:43, László Böszörményi (GCS) wrote: > I would like to ask for unblocking fetchmail, fixing a regression in > its last security fix. This is a one liner, moving down an 'endif'. bullseye if frozen [1] except for emergency uploads. [1] https://lists.debian.org/debian-devel-announce/2021/07/msg00003.html > [ Reason ] > partial_message_size_used was double incremented and messages got > truncated (the size limit reached much sooner). This doesn't sound like "emergency", agree? I suggest you prepare a point release update. > Local tests. Built on all architectures, piuparts are OK. But > autopkgtests are still running for arm64 and are already OK for all > other architectures. arm64 results may take some while as our ci.d.n host are blocked behind the non-functional shim update. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---