Attachment #127348 for bug #171177

View | Details | Raw Unified | Return to bug 171177
Collapse All | Expand All

Lines 2-8 Link Here

(-)./Makefile (-3 / +2 lines)
2	# Date created: 25 Feb 2000	2	# Date created: 25 Feb 2000
3	# Whom: Ville Eerola <ve@sci.fi>	3	# Whom: Ville Eerola <ve@sci.fi>
4	#	4	#
5	# $FreeBSD: ports/mail/fetchmail/Makefile,v 1.222 2012/08/27 17:44:23 mandree Exp $	5	# $FreeBSD: head/mail/fetchmail/Makefile 303238 2012-08-27 17:44:23Z mandree $
6	#	6	#
7	# NOTE: The fetchmailconf program (an interactive program for	7	# NOTE: The fetchmailconf program (an interactive program for
8	# writing .fetchmailrc files) requires Python, Tk, X11, etc..	8	# writing .fetchmailrc files) requires Python, Tk, X11, etc..
Lines 11-18 Link Here
11	# want fetchmailconf to work, define the X11 option.	11	# want fetchmailconf to work, define the X11 option.
12		12
13	PORTNAME= fetchmail	13	PORTNAME= fetchmail
14	PORTVERSION= 6.3.21	14	PORTVERSION= 6.3.22
15	PORTREVISION= 1
16	CATEGORIES= mail ipv6	15	CATEGORIES= mail ipv6
17	MASTER_SITES= BERLIOS/${PORTNAME}/ \	16	MASTER_SITES= BERLIOS/${PORTNAME}/ \
18	SF/${PORTNAME}/branch_6.3/ \	17	SF/${PORTNAME}/branch_6.3/ \

Lines 1-2 Link Here

(-)./distinfo (-2 / +2 lines)
1	SHA256 (fetchmail-6.3.21.tar.xz) = dc1b92666df7bc4d6be3e66654e9894bcaa76527ea99183deabd9e11486e0f82	1	SHA256 (fetchmail-6.3.22.tar.xz) = 9ab51a851f79e16258f068e791c39e3e378a99927f70c9635132f4295d70b1a4
2	SIZE (fetchmail-6.3.21.tar.xz) = 1254704	2	SIZE (fetchmail-6.3.22.tar.xz) = 1260296

Lines 1-6 Link Here

(-)./files/fetchmail.in (-1 / +1 lines)
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $FreeBSD: ports/mail/fetchmail/files/fetchmail.in,v 1.11 2012/01/14 08:55:56 dougb Exp $	3	# $FreeBSD$
4	#	4	#
5		5
6	# PROVIDE: fetchmail	6	# PROVIDE: fetchmail

Lines 3-9 Link Here

(-)./files/fetchmailconf (-1 / +1 lines)
3	# Wrapper for the real fetchmailconf. Checks whether Python and Tkinter are	3	# Wrapper for the real fetchmailconf. Checks whether Python and Tkinter are
4	# installed, and runs the real fetchmailconf or alerts the user, as appropriate.	4	# installed, and runs the real fetchmailconf or alerts the user, as appropriate.
5	#	5	#
6	# $FreeBSD: ports/mail/fetchmail/files/fetchmailconf,v 1.7 2005/12/06 21:07:19 barner Exp $	6	# $FreeBSD$
7		7
8	LOCALBASE=@LOCALBASE@	8	LOCALBASE=@LOCALBASE@
9		9




diff --git a/ntlm.h b/ntlm.h
index 1469633..ad83520 100644
--- a/ntlm.h
+++ b/ntlm.h
@@ -32,8 +32,8 @@ uint32        msgType;
 tSmbStrHeader    uDomain;
 uint32        flags;
 uint8         challengeData[8];
-uint8         reserved[8];
-tSmbStrHeader    emptyString;
+uint32        context[2];
+tSmbStrHeader    targetInfo;
 uint8         buffer[1024];
 uint32        bufIndex;
 }tSmbNtlmAuthChallenge;
diff --git a/ntlmsubr.c b/ntlmsubr.c
index f9d2733..63cbed8 100644
--- a/ntlmsubr.c
+++ b/ntlmsubr.c
@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
     if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
 	goto cancelfail;
 
-    (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
+    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
+	    || result < ((void *)&challenge.context - (void *)&challenge))
+    {
+	report (stderr, GT_("could not decode BASE64 challenge\n"));
+	/* We do not goto cancelfail; the server has already sent the
+	 * tagged reply, so the protocol exchange has ended, no need
+	 * for us to send the asterisk. */
+	return PS_AUTHFAIL;
+    }
+
+    /* validate challenge:
+     * - ident
+     * - message type
+     * - that offset points into buffer
+     * - that offset + length does not wrap
+     * - that offset + length is not bigger than buffer */
+    if (0 != memcmp("NTLMSSP", challenge.ident, 8)
+	    || challenge.msgType != 2
+	    || challenge.uDomain.offset > result
+	    || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
+	    || challenge.uDomain.offset + challenge.uDomain.len > result)
+    {
+	report (stderr, GT_("NTLM challenge contains invalid data.\n"));
+	result = PS_AUTHFAIL;
+	goto cancelfail;
+    }
 
     if (outlevel >= O_DEBUG)
 	dumpSmbNtlmAuthChallenge(stdout, &challenge);

Lines 1-4 Link Here

(-)./pkg-plist (-1 / +2 lines)
1	@comment $FreeBSD: ports/mail/fetchmail/pkg-plist,v 1.30 2011/07/09 10:07:49 crees Exp $	1	@comment $FreeBSD$
2	bin/fetchmail	2	bin/fetchmail
3	bin/fetchmailconf	3	bin/fetchmailconf
4	libexec/fetchmailconf.py	4	libexec/fetchmailconf.py
Lines 33-38 Link Here
33	%%NLS%%share/locale/ru/LC_MESSAGES/fetchmail.mo	33	%%NLS%%share/locale/ru/LC_MESSAGES/fetchmail.mo
34	%%NLS%%share/locale/sk/LC_MESSAGES/fetchmail.mo	34	%%NLS%%share/locale/sk/LC_MESSAGES/fetchmail.mo
35	%%NLS%%share/locale/sq/LC_MESSAGES/fetchmail.mo	35	%%NLS%%share/locale/sq/LC_MESSAGES/fetchmail.mo
		36	%%NLS%%share/locale/sv/LC_MESSAGES/fetchmail.mo
36	%%NLS%%share/locale/tr/LC_MESSAGES/fetchmail.mo	37	%%NLS%%share/locale/tr/LC_MESSAGES/fetchmail.mo
37	%%NLS%%share/locale/vi/LC_MESSAGES/fetchmail.mo	38	%%NLS%%share/locale/vi/LC_MESSAGES/fetchmail.mo
38	%%NLS%%share/locale/zh_CN/LC_MESSAGES/fetchmail.mo	39	%%NLS%%share/locale/zh_CN/LC_MESSAGES/fetchmail.mo

Return to bug 171177

Lines 1-53 Link Here

(-)./files/patch-CVE-2012-3482 (-53 lines)
1	diff --git a/ntlm.h b/ntlm.h
2	index 1469633..ad83520 100644
3	--- a/ntlm.h
4	+++ b/ntlm.h
5	@@ -32,8 +32,8 @@ uint32 msgType;
6	tSmbStrHeader uDomain;
7	uint32 flags;
8	uint8 challengeData[8];
9	-uint8 reserved[8];
10	-tSmbStrHeader emptyString;
11	+uint32 context[2];
12	+tSmbStrHeader targetInfo;
13	uint8 buffer[1024];
14	uint32 bufIndex;
15	}tSmbNtlmAuthChallenge;
16	diff --git a/ntlmsubr.c b/ntlmsubr.c
17	index f9d2733..63cbed8 100644
18	--- a/ntlmsubr.c
19	+++ b/ntlmsubr.c
20	@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query ctl, const char proto)
21	if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
22	goto cancelfail;
23
24	- (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
25	+ if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
26	+ \|\| result < ((void )&challenge.context - (void )&challenge))
27	+ {
28	+ report (stderr, GT_("could not decode BASE64 challenge\n"));
29	+ /* We do not goto cancelfail; the server has already sent the
30	+ * tagged reply, so the protocol exchange has ended, no need
31	+ * for us to send the asterisk. */
32	+ return PS_AUTHFAIL;
33	+ }
34	+
35	+ /* validate challenge:
36	+ * - ident
37	+ * - message type
38	+ * - that offset points into buffer
39	+ * - that offset + length does not wrap
40	+ * - that offset + length is not bigger than buffer */
41	+ if (0 != memcmp("NTLMSSP", challenge.ident, 8)
42	+ \|\| challenge.msgType != 2
43	+ \|\| challenge.uDomain.offset > result
44	+ \|\| challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
45	+ \|\| challenge.uDomain.offset + challenge.uDomain.len > result)
46	+ {
47	+ report (stderr, GT_("NTLM challenge contains invalid data.\n"));
48	+ result = PS_AUTHFAIL;
49	+ goto cancelfail;
50	+ }
51
52	if (outlevel >= O_DEBUG)
53	dumpSmbNtlmAuthChallenge(stdout, &challenge);