Bug 145857

Summary: [security] mail/fetchmail denial of service (verbose mode)
Product: Ports & Packages Reporter: niels <niels>
Component: Individual Port(s)Assignee: Matthias Andree <mandree>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
fm.diff none

Description niels freebsd_committer freebsd_triage 2010-04-19 19:20:00 UTC 
Please refer to the following oss-security post that describes a denial of service vulnerability in fetchmail: http://seclists.org/oss-sec/2010/q2/76

fetchmail 6.3.17 will contain a fix for this issue but is not released. So perhaps the port maintainer can apply the proposed patch to our port (which is at 6.3.16)?

Niels

Fix: 

Apply proposed patch or upgrade to 6.3.17
How-To-Repeat: n/a
Comment 1 niels freebsd_committer freebsd_triage 2010-04-20 14:41:14 UTC 
Here is the latest version of the advisory:
http://fetchmail.berlios.de/fetchmail-SA-2010-01.txt
Niels
-- 

Niels Heinen
FreeBSD committer | www.freebsd.org
PGP: 0x5FE39B80
Comment 2 niels freebsd_committer freebsd_triage 2010-04-20 14:46:35 UTC 
Grr wrong.. it's here:
http://gitorious.org/fetchmail/fetchmail/blobs/raw/master/fetchmail-SA-2010-02.txt
Niels

-- 
Niels Heinen
FreeBSD committer | www.freebsd.org
PGP: 0x5FE39B80
Comment 3 dfilter service freebsd_committer freebsd_triage 2010-04-20 22:04:01 UTC 
niels       2010-04-20 21:03:51 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Documented the following vulnerabilities:
  - png: libpng decompression denial of service
  - e107: code execution and XSS vulnerabilities
  - pidgin: multiple remote denial of service vulnerabilities
  - fetchmail: denial of service vulnerability
  
  PR:             ports/145885
  PR:             ports/145857
  Approved by:    remko (secteam)
  Security:       CVE-2010-0996
  Security:       CVE-2010-0997
  Security:       CVE-2010-1167
  Security:       CVE-2010-0277
  Security:       CVE-2010-0420
  Security:       CVE-2010-0423
  Security:       CVE-2010-0205
  
  Revision  Changes    Path
  1.2143    +162 -1    ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Matthias Andree freebsd_committer freebsd_triage 2010-04-22 14:54:23 UTC 
I propose the attached patch.

Corey (Cc'd for easier extraction of the patch), OK for you?
Comment 5 Matthias Andree freebsd_committer freebsd_triage 2010-04-22 14:55:48 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->mandree

I'll take it.
Comment 6 Matthias Andree freebsd_committer freebsd_triage 2010-04-22 14:56:16 UTC 
State Changed
From-To: open->feedback

Awaiting maintainer feedback.
Comment 7 Corey Halpin 2010-04-22 16:35:05 UTC 
On 2010-04-22, Matthias Andree wrote:
>I propose the attached patch.
>
>Corey (Cc'd for easier extraction of the patch), OK for you?

   Yes.

~crh
Comment 8 Matthias Andree freebsd_committer freebsd_triage 2010-04-22 19:18:58 UTC 
State Changed
From-To: feedback->open

feedback received; now waiting for mentor authorization to commit
Comment 9 dfilter service freebsd_committer freebsd_triage 2010-04-22 20:13:38 UTC 
mandree     2010-04-22 19:13:24 UTC

  FreeBSD ports repository

  Modified files:
    mail/fetchmail       Makefile 
  Added files:
    mail/fetchmail/files patch-CVE-2010-1167 
  Log:
  Security fix for CVE-2010-1167.
  
  This unbreaks the build, since this vulnerability is listed
  at http://www.vuxml.org/freebsd/09910d76-4c82-11df-83fb-0015587e2cc1.html.
  
  Add the recommended upstream patch.
  
  Bump PORTREVISION.
  
  PR: ports/145857
  Approved by: Corey Halpin (maintainer)
  Approved by: garga (mentor)
  
  Revision  Changes    Path
  1.208     +2 -0      ports/mail/fetchmail/Makefile
  1.1       +102 -0    ports/mail/fetchmail/files/patch-CVE-2010-1167 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 10 Matthias Andree freebsd_committer freebsd_triage 2010-04-22 20:14:00 UTC 
State Changed
From-To: open->closed

Committed. Thanks!