Bug#992063: bullseye-pu: package fetchmail/6.4.16-4+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#992063: bullseye-pu: package fetchmail/6.4.16-4+deb11u1
From: László Böszörményi (GCS) <gcs@debian.org>
Date: Tue, 10 Aug 2021 16:15:57 +0200
Message-id: <[🔎] CAKjSHr1pTSDC=DDS4O-eNmNi0D+oknZHSzukZcp5AUFPp=ca+w@mail.gmail.com>
Reply-to: László Böszörményi (GCS) <gcs@debian.org>, 992063@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Tags: bullseye
Severity: normal

Hi RMs,

Asking for a fetchmail package update, fixing a regression in its last
security fix. This is a one liner, moving down an 'endif'.
The reason is, partial_message_size_used was double incremented and
messages got truncated (the size limit reached much sooner). Updated
package is already in Sid, I would like to get it for Bullseye too.

Debdiff is attached.

Thanks for consideration,
Laszlo/GCS

diff -Nru fetchmail-6.4.16/debian/changelog fetchmail-6.4.16/debian/changelog
--- fetchmail-6.4.16/debian/changelog	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/changelog	2021-08-09 20:06:48.000000000 +0200
@@ -1,3 +1,10 @@
+fetchmail (6.4.16-4+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream regression fix for 6.4.20's security (CVE-2021-36386)
+    fix.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 09 Aug 2021 20:06:48 +0200
+
 fetchmail (6.4.16-4) unstable; urgency=high
 
   * Backport upstream security fix for CVE-2021-36386: denial of service or
diff -Nru fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch
--- fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	2021-08-09 20:06:48.000000000 +0200
@@ -0,0 +1,76 @@
+From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Mon, 9 Aug 2021 17:42:29 +0200
+Subject: [PATCH] Fix --logfile and message truncation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Regression in 6.4.20's security fix (Git commit c546c829).
+
+We doubly incremented partial_message_size_used on modern systems
+(stdard.h/vsnprintf), once in report_vbuild() and then again in
+report_build(), so the 2nd and subsequent report_build() fragments
+landed too late in the buffer.  This will not cause overruns due to the
+reallocation prior to the vsnprintf/sprintf, but it write starts behind
+the '\0' byte, instead of right over it, so the string also gets
+truncated to the first fragment written with report_vbuild().
+
+Fix by moving the increment back into the #else...#endif part that does
+not use report_vbuild().
+
+Reported by: Jürgen Edner, Erik Christiansen
+---
+ NEWS     | 18 ++++++++++++++++++
+ report.c |  3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 0cd3f968..b98f15d2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,24 @@ removed from a 6.5.0 or newer release.)
+   for end-of-life OpenSSL versions may be removed even from patchlevel releases.
+ 
+ --------------------------------------------------------------------------------
++fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
++
++# REGRESSION FIX:
++* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
++  messages logged to buffered outputs, predominantly --logfile.
++
++  This also caused lines in the logfile to run into one another because
++  the fragment containing the '\n' line-end character was usually lost.
++
++  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
++  interface), the length of log message fragments was added up twice, so
++  that these ended too deep into a freshly allocated buffer, after the '\0'
++  byte.  Unbuffered outputs flushed the fragments right away, which masked the
++  bug.
++
++  Reported by: Jürgen Edner, Erik Christiansen.
++
++--------------------------------------------------------------------------------
+ fetchmail-6.4.20 (not yet released):
+ 
+ # SECURITY FIX:
+diff --git a/report.c b/report.c
+index aea6b3ea..2db7d0a9 100644
+--- a/report.c
++++ b/report.c
+@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
+     n = snprintf (partial_message + partial_message_size_used,
+ 		    partial_message_size - partial_message_size_used,
+ 		    message, a1, a2, a3, a4, a5, a6, a7, a8);
+-#endif
+ 
+     if (n > 0) partial_message_size_used += n;
+ 
++#endif
++
+     if (unbuffered && partial_message_size_used != 0)
+     {
+ 	partial_message_size_used = 0;
+-- 
+GitLab
+
diff -Nru fetchmail-6.4.16/debian/patches/series fetchmail-6.4.16/debian/patches/series
--- fetchmail-6.4.16/debian/patches/series	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/patches/series	2021-08-09 20:06:48.000000000 +0200
@@ -5,3 +5,4 @@
 09_fix_memory_leak_in_timeout_situation.patch
 10_update_manpage.patch
 11_fix_CVE-2021-38386.patch
+12_fix_logfile_and_message_truncation_issue.patch

Reply to:

Follow-Ups:
- Bug#992063: bullseye-pu: package fetchmail/6.4.16-4+deb11u1
  - From: László Böszörményi (GCS) <gcs@debian.org>

Prev by Date: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Next by Date: Bug#992078: bullseye-pu: package libbluray/1:1.2.1-4+deb11u1
Previous by thread: Bug#992054: marked as done (unblock: fetchmail/6.4.16-5)
Next by thread: Bug#992063: bullseye-pu: package fetchmail/6.4.16-4+deb11u1
Index(es):
- Date
- Thread