Attachment #105390 for bug #145857

View | Details | Raw Unified | Return to bug 145857
Collapse All | Expand All

Lines 11-16 Link Here

(-)Makefile (+2 lines)
11		11
12	PORTNAME= fetchmail	12	PORTNAME= fetchmail
13	PORTVERSION= 6.3.16	13	PORTVERSION= 6.3.16
		14	PORTREVISION= 1
14	CATEGORIES= mail ipv6	15	CATEGORIES= mail ipv6
15	MASTER_SITES= ${MASTER_SITE_BERLIOS} \	16	MASTER_SITES= ${MASTER_SITE_BERLIOS} \
16	http://mandree.home.pages.de/fetchmail/:ma \	17	http://mandree.home.pages.de/fetchmail/:ma \
Lines 28-33 Link Here
28	USE_RC_SUBR= fetchmail	29	USE_RC_SUBR= fetchmail
29	FETCHMAILRC= ${PREFIX}/etc/fetchmailrc	30	FETCHMAILRC= ${PREFIX}/etc/fetchmailrc
30	SUB_FILES= pkg-message	31	SUB_FILES= pkg-message
		32	PATCH_STRIP= -p1
31		33
32	USE_BZIP2= yes	34	USE_BZIP2= yes
33	USE_GMAKE= yes	35	USE_GMAKE= yes




commit ec06293134b85876f9201d8a52b844c41581b2b3
Author: Matthias Andree <matthias.andree@gmx.de>
Date:   Sun Apr 18 18:01:38 2010 +0200

    SECURITY FIX: DoS on EILSEQ in report_*() in -vv and multibyte-locales.

diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license.  Compile with -DMAIN to build the demonstrator.
 #include  <stdlib.h>
 
 #include "fetchmail.h"
+#include "sdump.h"
 
 #ifndef MAIN
 #include "i18n.h"
@@ -74,9 +75,10 @@ char *reply_hack(
     }
 
 #ifndef MAIN
-    if (outlevel >= O_DEBUG)
-	report_build(stdout, GT_("About to rewrite %.*s...\n"),
-			(int)BEFORE_EOL(buf), buf);
+    if (outlevel >= O_DEBUG) {
+	report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
+	xfree(cp);
+    }
 
     /* make room to hack the address; buf must be malloced */
     for (cp = buf; *cp; cp++)
@@ -211,9 +213,12 @@ char *reply_hack(
     }
 
 #ifndef MAIN
-    if (outlevel >= O_DEBUG)
-	report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
-			(int)BEFORE_EOL(buf), buf);
+    if (outlevel >= O_DEBUG) {
+	report_complete(stdout, GT_("...rewritten version is %s.\n"),
+			(cp = sdump(buf, BEFORE_EOL(buf))));
+	xfree(cp)
+    }
+
 #endif /* MAIN */
     *length = strlen(buf);
     return(buf);
diff --git a/uid.c b/uid.c
index fdc6f5d..d813bee 100644
--- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
 
 #include "fetchmail.h"
 #include "i18n.h"
+#include "sdump.h"
 
 /*
  * Machinery for handling UID lists live here.  This is mainly to support
@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
 	if (uidlcount)
 	{
 	    report_build(stdout, GT_("Scratch list of UIDs:"));
-	    for (idp = scratchlist; idp; idp = idp->next)
-		report_build(stdout, " %s", idp->id);
+	    for (idp = scratchlist; idp; idp = idp->next) {
+		char *t = sdump(idp->id, strlen(idp->id));
+		report_build(stdout, " %s", t);
+		free(t);
+	    }
 	    if (!idp)
 		report_build(stdout, GT_(" <empty>"));
 	    report_complete(stdout, "\n");
@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
 	    report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
 	else
 	    report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
-	for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
-	    report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+	for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
+	    char *t = sdump(idp->id, strlen(idp->id));
+	    report_build(stdout, " %s = %d", t, idp->val.status.mark);
+	    free(t);
+        }
 	if (!idp)
 	    report_build(stdout, GT_(" <empty>"));
 	report_complete(stdout, "\n");
@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
 	/* this is now a merged list! the mails which were seen in this
 	 * poll are marked here. */
 	report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
-	for (idp = ctl->oldsaved; idp; idp = idp->next)
-	    report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+	for (idp = ctl->oldsaved; idp; idp = idp->next) {
+	    char *t = sdump(idp->id, strlen(idp->id));
+	    report_build(stdout, " %s = %d", t, idp->val.status.mark);
+	    free(t);
+	}
 	if (!idp)
 	    report_build(stdout, GT_(" <empty>"));
 	report_complete(stdout, "\n");

Return to bug 145857

Added Link Here

(-)files/patch-CVE-2010-1167 (+102 lines)
1	commit ec06293134b85876f9201d8a52b844c41581b2b3
2	Author: Matthias Andree <matthias.andree@gmx.de>
3	Date: Sun Apr 18 18:01:38 2010 +0200
4
5	SECURITY FIX: DoS on EILSEQ in report_*() in -vv and multibyte-locales.
6
7	diff --git a/rfc822.c b/rfc822.c
8	index 6f2dbf3..dbcda32 100644
9	--- a/rfc822.c
10	+++ b/rfc822.c
11	@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
12	#include <stdlib.h>
13
14	#include "fetchmail.h"
15	+#include "sdump.h"
16
17	#ifndef MAIN
18	#include "i18n.h"
19	@@ -74,9 +75,10 @@ char *reply_hack(
20	}
21
22	#ifndef MAIN
23	- if (outlevel >= O_DEBUG)
24	- report_build(stdout, GT_("About to rewrite %.*s...\n"),
25	- (int)BEFORE_EOL(buf), buf);
26	+ if (outlevel >= O_DEBUG) {
27	+ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
28	+ xfree(cp);
29	+ }
30
31	/* make room to hack the address; buf must be malloced */
32	for (cp = buf; *cp; cp++)
33	@@ -211,9 +213,12 @@ char *reply_hack(
34	}
35
36	#ifndef MAIN
37	- if (outlevel >= O_DEBUG)
38	- report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
39	- (int)BEFORE_EOL(buf), buf);
40	+ if (outlevel >= O_DEBUG) {
41	+ report_complete(stdout, GT_("...rewritten version is %s.\n"),
42	+ (cp = sdump(buf, BEFORE_EOL(buf))));
43	+ xfree(cp)
44	+ }
45	+
46	#endif /* MAIN */
47	*length = strlen(buf);
48	return(buf);
49	diff --git a/uid.c b/uid.c
50	index fdc6f5d..d813bee 100644
51	--- a/uid.c
52	+++ b/uid.c
53	@@ -20,6 +20,7 @@
54
55	#include "fetchmail.h"
56	#include "i18n.h"
57	+#include "sdump.h"
58
59	/*
60	* Machinery for handling UID lists live here. This is mainly to support
61	@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query hostlist, const char idfile)
62	if (uidlcount)
63	{
64	report_build(stdout, GT_("Scratch list of UIDs:"));
65	- for (idp = scratchlist; idp; idp = idp->next)
66	- report_build(stdout, " %s", idp->id);
67	+ for (idp = scratchlist; idp; idp = idp->next) {
68	+ char *t = sdump(idp->id, strlen(idp->id));
69	+ report_build(stdout, " %s", t);
70	+ free(t);
71	+ }
72	if (!idp)
73	report_build(stdout, GT_(" <empty>"));
74	report_complete(stdout, "\n");
75	@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
76	report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
77	else
78	report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
79	- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
80	- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
81	+ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
82	+ char *t = sdump(idp->id, strlen(idp->id));
83	+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
84	+ free(t);
85	+ }
86	if (!idp)
87	report_build(stdout, GT_(" <empty>"));
88	report_complete(stdout, "\n");
89	@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
90	/* this is now a merged list! the mails which were seen in this
91	* poll are marked here. */
92	report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
93	- for (idp = ctl->oldsaved; idp; idp = idp->next)
94	- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
95	+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
96	+ char *t = sdump(idp->id, strlen(idp->id));
97	+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
98	+ free(t);
99	+ }
100	if (!idp)
101	report_build(stdout, GT_(" <empty>"));
102	report_complete(stdout, "\n");