[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992063: marked as done (bullseye-pu: package fetchmail/6.4.16-4+deb11u1)

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #992063,
regarding bullseye-pu: package fetchmail/6.4.16-4+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992063: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992063
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Tags: bullseye
Severity: normal

Hi RMs,

Asking for a fetchmail package update, fixing a regression in its last
security fix. This is a one liner, moving down an 'endif'.
The reason is, partial_message_size_used was double incremented and
messages got truncated (the size limit reached much sooner). Updated
package is already in Sid, I would like to get it for Bullseye too.

Debdiff is attached.

Thanks for consideration,
Laszlo/GCS

diff -Nru fetchmail-6.4.16/debian/changelog fetchmail-6.4.16/debian/changelog
--- fetchmail-6.4.16/debian/changelog	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/changelog	2021-08-09 20:06:48.000000000 +0200
@@ -1,3 +1,10 @@
+fetchmail (6.4.16-4+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream regression fix for 6.4.20's security (CVE-2021-36386)
+    fix.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 09 Aug 2021 20:06:48 +0200
+
 fetchmail (6.4.16-4) unstable; urgency=high
 
   * Backport upstream security fix for CVE-2021-36386: denial of service or
diff -Nru fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch
--- fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.16/debian/patches/12_fix_logfile_and_message_truncation_issue.patch	2021-08-09 20:06:48.000000000 +0200
@@ -0,0 +1,76 @@
+From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Mon, 9 Aug 2021 17:42:29 +0200
+Subject: [PATCH] Fix --logfile and message truncation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Regression in 6.4.20's security fix (Git commit c546c829).
+
+We doubly incremented partial_message_size_used on modern systems
+(stdard.h/vsnprintf), once in report_vbuild() and then again in
+report_build(), so the 2nd and subsequent report_build() fragments
+landed too late in the buffer.  This will not cause overruns due to the
+reallocation prior to the vsnprintf/sprintf, but it write starts behind
+the '\0' byte, instead of right over it, so the string also gets
+truncated to the first fragment written with report_vbuild().
+
+Fix by moving the increment back into the #else...#endif part that does
+not use report_vbuild().
+
+Reported by: Jürgen Edner, Erik Christiansen
+---
+ NEWS     | 18 ++++++++++++++++++
+ report.c |  3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 0cd3f968..b98f15d2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,24 @@ removed from a 6.5.0 or newer release.)
+   for end-of-life OpenSSL versions may be removed even from patchlevel releases.
+ 
+ --------------------------------------------------------------------------------
++fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
++
++# REGRESSION FIX:
++* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
++  messages logged to buffered outputs, predominantly --logfile.
++
++  This also caused lines in the logfile to run into one another because
++  the fragment containing the '\n' line-end character was usually lost.
++
++  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
++  interface), the length of log message fragments was added up twice, so
++  that these ended too deep into a freshly allocated buffer, after the '\0'
++  byte.  Unbuffered outputs flushed the fragments right away, which masked the
++  bug.
++
++  Reported by: Jürgen Edner, Erik Christiansen.
++
++--------------------------------------------------------------------------------
+ fetchmail-6.4.20 (not yet released):
+ 
+ # SECURITY FIX:
+diff --git a/report.c b/report.c
+index aea6b3ea..2db7d0a9 100644
+--- a/report.c
++++ b/report.c
+@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
+     n = snprintf (partial_message + partial_message_size_used,
+ 		    partial_message_size - partial_message_size_used,
+ 		    message, a1, a2, a3, a4, a5, a6, a7, a8);
+-#endif
+ 
+     if (n > 0) partial_message_size_used += n;
+ 
++#endif
++
+     if (unbuffered && partial_message_size_used != 0)
+     {
+ 	partial_message_size_used = 0;
+-- 
+GitLab
+
diff -Nru fetchmail-6.4.16/debian/patches/series fetchmail-6.4.16/debian/patches/series
--- fetchmail-6.4.16/debian/patches/series	2021-07-29 00:18:56.000000000 +0200
+++ fetchmail-6.4.16/debian/patches/series	2021-08-09 20:06:48.000000000 +0200
@@ -5,3 +5,4 @@
 09_fix_memory_leak_in_timeout_situation.patch
 10_update_manpage.patch
 11_fix_CVE-2021-38386.patch
+12_fix_logfile_and_message_truncation_issue.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam

--- End Message ---
Reply to: