Bug#992063: bullseye-pu: package fetchmail/6.4.16-4+deb11u1
Hi RMs,
On Tue, Aug 10, 2021 at 4:21 PM László Böszörményi <gcs@debian.org> wrote:
> Asking for a fetchmail package update, fixing a regression in its last
> security fix. This is a one liner, moving down an 'endif'.
Another issue has emerged, a regression since Buster. With certain
configurations, fetchmail crashes immediately.
[ Reason ]
Some options don't always have value. But code tried to strdup() that
- a non-existent value.
[ Impact ]
With such configurations, users can't use fetchmail anymore. Upstream
fix corrects the behaviour.
[ Tests ]
Local tests mostly. But the fix also went to Sid and it works for all users.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in bullseye
[x] the issue is verified as fixed in unstable
Thanks for considering,
Laszlo/GCS
diff -Nru fetchmail-6.4.16/debian/changelog fetchmail-6.4.16/debian/changelog
--- fetchmail-6.4.16/debian/changelog 2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/changelog 2021-08-09 20:06:48.000000000 +0200
@@ -1,3 +1,11 @@
+fetchmail (6.4.16-4+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream regression fix for 6.4.20's security (CVE-2021-36386)
+ fix.
+ * Fix envelope segmentation fault (closes: #992400).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 09 Aug 2021 20:06:48 +0200
+
fetchmail (6.4.16-4) unstable; urgency=high
* Backport upstream security fix for CVE-2021-36386: denial of service or
diff -Nru fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch
--- fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch 1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch 2021-08-09 20:06:48.000000000 +0200
@@ -0,0 +1,76 @@
+From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Mon, 9 Aug 2021 17:42:29 +0200
+Subject: [PATCH] Fix --logfile and message truncation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Regression in 6.4.20's security fix (Git commit c546c829).
+
+We doubly incremented partial_message_size_used on modern systems
+(stdard.h/vsnprintf), once in report_vbuild() and then again in
+report_build(), so the 2nd and subsequent report_build() fragments
+landed too late in the buffer. This will not cause overruns due to the
+reallocation prior to the vsnprintf/sprintf, but it write starts behind
+the '\0' byte, instead of right over it, so the string also gets
+truncated to the first fragment written with report_vbuild().
+
+Fix by moving the increment back into the #else...#endif part that does
+not use report_vbuild().
+
+Reported by: Jürgen Edner, Erik Christiansen
+---
+ NEWS | 18 ++++++++++++++++++
+ report.c | 3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 0cd3f968..b98f15d2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,24 @@ removed from a 6.5.0 or newer release.)
+ for end-of-life OpenSSL versions may be removed even from patchlevel releases.
+
+ --------------------------------------------------------------------------------
++fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
++
++# REGRESSION FIX:
++* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
++ messages logged to buffered outputs, predominantly --logfile.
++
++ This also caused lines in the logfile to run into one another because
++ the fragment containing the '\n' line-end character was usually lost.
++
++ Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
++ interface), the length of log message fragments was added up twice, so
++ that these ended too deep into a freshly allocated buffer, after the '\0'
++ byte. Unbuffered outputs flushed the fragments right away, which masked the
++ bug.
++
++ Reported by: Jürgen Edner, Erik Christiansen.
++
++--------------------------------------------------------------------------------
+ fetchmail-6.4.20 (not yet released):
+
+ # SECURITY FIX:
+diff --git a/report.c b/report.c
+index aea6b3ea..2db7d0a9 100644
+--- a/report.c
++++ b/report.c
+@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
+ n = snprintf (partial_message + partial_message_size_used,
+ partial_message_size - partial_message_size_used,
+ message, a1, a2, a3, a4, a5, a6, a7, a8);
+-#endif
+
+ if (n > 0) partial_message_size_used += n;
+
++#endif
++
+ if (unbuffered && partial_message_size_used != 0)
+ {
+ partial_message_size_used = 0;
+--
+GitLab
+
diff -Nru fetchmail-6.4.16/debian/patches/13_fix_envelope_segfault.patch fetchmail-6.4.16/debian/patches/13_fix_envelope_segfault.patch
--- fetchmail-6.4.16/debian/patches/13_fix_envelope_segfault.patch 1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.16/debian/patches/13_fix_envelope_segfault.patch 2021-08-09 20:06:48.000000000 +0200
@@ -0,0 +1,13 @@
+diff --git a/fetchmail.c b/fetchmail.c
+index ac8e4607..71ecc1b0 100644
+--- a/fetchmail.c
++++ b/fetchmail.c
+@@ -996,7 +996,7 @@ static void optmerge(struct query *h2, struct query *h1, int force)
+ list_merge(&h2->antispam, &h1->antispam, force);
+
+ #define FLAG_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) h2->fld = h1->fld; } while (0)
+-#define STRING_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) { if (h2->fld) free((void *)h2->fld), h2->fld = 0; if (h1->fld) h2->fld = xstrdup(h1->fld); } } while (0)
++#define STRING_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) { if (h2->fld) free((void *)h2->fld), h2->fld = 0; if (h1->fld) { if (h1->fld != STRING_DISABLED) h2->fld = xstrdup(h1->fld); else h2->fld = STRING_DISABLED; } } } while (0)
+ STRING_MERGE(server.via);
+ FLAG_MERGE(server.protocol);
+ STRING_MERGE(server.service);
diff -Nru fetchmail-6.4.16/debian/patches/series fetchmail-6.4.16/debian/patches/series
--- fetchmail-6.4.16/debian/patches/series 2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/patches/series 2021-08-09 20:06:48.000000000 +0200
@@ -5,3 +5,5 @@
09_fix_memory_leak_in_timeout_situation.patch
10_update_manpage.patch
11_fix_CVE-2021-38386.patch
+12_fix_logfile_and_message_truncation_issue.patch
+13_fix_envelope_segfault.patch
Reply to: