Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 08 Nov 2025 15:07:51 +0100
Message-id: <[🔎] 176261087108.2772949.10522147080590734527.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1120380@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: fetchmail@packages.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>, Matthias Andree <matthias.andree@gmx.de>, carnil@debian.org
Control: affects -1 + src:fetchmail
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable release managers, Laszlo, (CC upstream)

The time is bit tight now given window is closing this weekend for
uploads for the next trixie point release. I was looking which minor
CVE fixes are open, and noticed that we have CVE-2025-61962 which
might be low enough to still get in, but I would like to have an ack
from Lazslo, otherwise later point release is I guess fine.

[ Reason ]
fetchmail is pront to a SMTP client crash when authenticating against
a trusted but malicious or malfunctioning SMTP server. Details in
https://www.fetchmail.info/fetchmail-SA-2025-01.txt
This is CVE-2025-61962 and in Debian BTS tracked as #1117136.

[ Impact ]
fetchmail crash.

[ Tests ]
None in particular for this issue itself (as I have no setup available
makeing use of it). Lazslo?

I have uploaded the proposed package to debusine for further testing:
https://debusine.debian.net/debian/developers/work-request/229521/

[ Risks ]
Pick the upstream changes which are isolated for the changes in
smtp.c.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Check from malformed replied from the SMTP server, i.e. check in this
case the"334" responses not followed the mandated blank after the
repsonse code.

Regards,
Salvatore

diff -Nru fetchmail-6.4.39/debian/changelog fetchmail-6.4.39/debian/changelog
--- fetchmail-6.4.39/debian/changelog	2024-07-24 09:08:58.000000000 +0200
+++ fetchmail-6.4.39/debian/changelog	2025-11-08 14:51:41.000000000 +0100
@@ -1,3 +1,11 @@
+fetchmail (6.4.39-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Security fix: avoid NULL+1 deref on invalid AUTH reply (CVE-2025-61962)
+    (Closes: #1117136)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 08 Nov 2025 14:51:41 +0100
+
 fetchmail (6.4.39-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch
--- fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch	1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch	2025-11-08 14:50:14.000000000 +0100
@@ -0,0 +1,46 @@
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Fri, 3 Oct 2025 13:11:59 +0200
+Subject: Security fix: avoid NULL+1 deref on invalid AUTH reply
+Origin: https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
+Bug-Debian: https://bugs.debian.org/1117136
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-61962
+
+When fetchmail receives a 334 reply from the SMTP server
+that does not contain the mandated blank after that response
+code, it will attempt reading from memory location 1, which
+will usually lead to a crash.
+
+The simpler fix would have been to check for four bytes "334 "
+instead of three bytes "334" but that would make malformed
+replies and those that don't match the expected reply code
+indistinguishable.
+---
+ smtp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/smtp.c
++++ b/smtp.c
+@@ -92,6 +92,11 @@ static void SMTP_auth(int sock, char smt
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		/* (hmh) from64tobits will not NULL-terminate strings! */
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+@@ -145,6 +150,11 @@ static void SMTP_auth(int sock, char smt
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+ 			SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
diff -Nru fetchmail-6.4.39/debian/patches/series fetchmail-6.4.39/debian/patches/series
--- fetchmail-6.4.39/debian/patches/series	2023-01-10 03:29:55.000000000 +0100
+++ fetchmail-6.4.39/debian/patches/series	2025-11-08 14:48:49.000000000 +0100
@@ -2,3 +2,4 @@
 04_invoke-rc.d.diff
 07_properly_report_size_of_mailboxes.patch
 08_remove_forced_OpenSSL_check.patch
+09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch

Reply to:

Follow-Ups:
- Processed: trixie-pu: package fetchmail/6.4.39-1+deb13u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
  - From: László Böszörményi (GCS) <gcs@debian.org>

Prev by Date: Processed: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Next by Date: Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Previous by thread: Processed: rust-virtiofsd 1.13.2-1+deb13u1 flagged for acceptance
Next by thread: Processed: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Index(es):
- Date
- Thread