Comment 1 Edwin Groothuis 2012-08-13 22:00:32 UTC

Responsible Changed
From-To: freebsd-ports-bugs->mandree

Submitter has GNATS access (via the GNATS Auto Assign Tool)

Comment 2 Edwin Groothuis 2012-08-13 22:00:35 UTC

Maintainer of mail/fetchmail,

Please note that PR ports/170613 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/170613

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org

Comment 3 Edwin Groothuis 2012-08-13 22:00:37 UTC

State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)

Comment 4 Matthias Andree 2012-08-14 06:47:51 UTC

This has been assigned CVE-2012-3482.

Comment 5 Matthias Andree 2012-08-14 20:08:56 UTC

State Changed
From-To: feedback->suspended

needs more fixes to avoid reading from bad locations when dealing with 
the uDomain field in ntlmsubr.c (aka. Target Info).

This is a multi-part message in MIME format.

Comment 7 Matthias Andree 2012-08-14 20:13:39 UTC

State Changed
From-To: suspended->feedback

back to feedback state

If this gets committed, vuln.xml "affects version" data needs to be
adjusted, it is currently < 6.3.22.

Comment 9 dfilter service 2012-08-27 18:44:37 UTC

Author: mandree
Date: Mon Aug 27 17:44:23 2012
New Revision: 303238
URL: http://svn.freebsd.org/changeset/ports/303238

Log:
  Update fetchmail to 6.3.21_1, fixing CVE-2012-3482.
  Adjust VuXML database entry from < 6.3.22 to < 6.3.21_1.
  
  PR:		ports/170613
  Approved by:	maintainer timeout (14 days)
  Security:	http://www.vuxml.org/freebsd/83f9e943-e664-11e1-a66d-080027ef73ec.html
  Security:	CVE-2012-3482

Added:
  head/mail/fetchmail/files/patch-CVE-2012-3482   (contents, props changed)
Modified:
  head/mail/fetchmail/Makefile   (contents, props changed)
  head/security/vuxml/vuln.xml

Modified: head/mail/fetchmail/Makefile
==============================================================================
--- head/mail/fetchmail/Makefile	Mon Aug 27 17:43:38 2012	(r303237)
+++ head/mail/fetchmail/Makefile	Mon Aug 27 17:44:23 2012	(r303238)
@@ -12,6 +12,7 @@
 
 PORTNAME=	fetchmail
 PORTVERSION=	6.3.21
+PORTREVISION=	1
 CATEGORIES=	mail ipv6
 MASTER_SITES=	BERLIOS/${PORTNAME}/ \
 		SF/${PORTNAME}/branch_6.3/ \

Added: head/mail/fetchmail/files/patch-CVE-2012-3482
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/mail/fetchmail/files/patch-CVE-2012-3482	Mon Aug 27 17:44:23 2012	(r303238)
@@ -0,0 +1,53 @@
+diff --git a/ntlm.h b/ntlm.h
+index 1469633..ad83520 100644
+--- a/ntlm.h
++++ b/ntlm.h
+@@ -32,8 +32,8 @@ uint32        msgType;
+ tSmbStrHeader    uDomain;
+ uint32        flags;
+ uint8         challengeData[8];
+-uint8         reserved[8];
+-tSmbStrHeader    emptyString;
++uint32        context[2];
++tSmbStrHeader    targetInfo;
+ uint8         buffer[1024];
+ uint32        bufIndex;
+ }tSmbNtlmAuthChallenge;
+diff --git a/ntlmsubr.c b/ntlmsubr.c
+index f9d2733..63cbed8 100644
+--- a/ntlmsubr.c
++++ b/ntlmsubr.c
+@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
+     if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
+ 	goto cancelfail;
+ 
+-    (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
++    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
++	    || result < ((void *)&challenge.context - (void *)&challenge))
++    {
++	report (stderr, GT_("could not decode BASE64 challenge\n"));
++	/* We do not goto cancelfail; the server has already sent the
++	 * tagged reply, so the protocol exchange has ended, no need
++	 * for us to send the asterisk. */
++	return PS_AUTHFAIL;
++    }
++
++    /* validate challenge:
++     * - ident
++     * - message type
++     * - that offset points into buffer
++     * - that offset + length does not wrap
++     * - that offset + length is not bigger than buffer */
++    if (0 != memcmp("NTLMSSP", challenge.ident, 8)
++	    || challenge.msgType != 2
++	    || challenge.uDomain.offset > result
++	    || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
++	    || challenge.uDomain.offset + challenge.uDomain.len > result)
++    {
++	report (stderr, GT_("NTLM challenge contains invalid data.\n"));
++	result = PS_AUTHFAIL;
++	goto cancelfail;
++    }
+ 
+     if (outlevel >= O_DEBUG)
+ 	dumpSmbNtlmAuthChallenge(stdout, &challenge);

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Aug 27 17:43:38 2012	(r303237)
+++ head/security/vuxml/vuln.xml	Mon Aug 27 17:44:23 2012	(r303238)
@@ -611,7 +611,7 @@ Note:  Please add new entries to the beg
     <affects>
       <package>
 	<name>fetchmail</name>
-	<range><ge>5.0.8</ge><lt>6.3.22</lt></range>
+	<range><ge>5.0.8</ge><lt>6.3.21_1</lt></range>
       </package>
     </affects>
     <description>
@@ -634,6 +634,7 @@ Note:  Please add new entries to the beg
     <dates>
       <discovery>2012-08-12</discovery>
       <entry>2012-08-14</entry>
+      <modified>2012-08-27</modified>
     </dates>
   </vuln>
 
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"

Comment 10 Matthias Andree 2012-08-27 18:45:03 UTC

State Changed
From-To: feedback->closed

Committed after maintainer timeout (14 days; security)