Bug 257480 - mail/fetchmail: Update to 6.4.20 (security fix)
Summary: mail/fetchmail: Update to 6.4.20 (security fix)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Matthias Andree
URL: https://www.fetchmail.info/fetchmail-...
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-07-28 21:47 UTC by Matthias Andree
Modified: 2021-07-29 20:47 UTC (History)
2 users (show)

See Also:
chalpin: maintainer-feedback+
mandree: merge-quarterly+


Attachments
/usr/ports update to take fetchmail to v6.4.20 (1.42 KB, patch)
2021-07-28 21:47 UTC, Matthias Andree
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Andree freebsd_committer freebsd_triage 2021-07-28 21:47:11 UTC
Created attachment 226760 [details]
/usr/ports update to take fetchmail to v6.4.20

Hi Corey,

please review and if possible approve of the attached port update to fetchmail v6.4.20 to address a security vulnerability in some configurations.

vuxml entry already committed (not yet rendered):
https://cgit.freebsd.org/ports/commit/?id=b913df304c485ba61fc981f7e633b96d4b3ea492

release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):

# SECURITY FIX:                                                                                                                                                                               
* When a log message exceeds c. 2 kByte in size, for instance, with very long
  header contents, and depending on verbosity option, fetchmail can crash or
  misreport each first log message that requires a buffer reallocation.
  fetchmail then reallocates memory and re-runs vsnprintf() without another
  call to va_start(), so it reads garbage. The exact impact depends on
  many factors around the compiler and operating system configurations used and
  the implementation details of the stdarg.h interfaces of the two functions
  mentioned before. To fix CVE-2021-38386.

  Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany.
---------------------------------------------------------------------------------
Comment 1 Corey Halpin 2021-07-28 23:56:17 UTC
Comment on attachment 226760 [details]
/usr/ports update to take fetchmail to v6.4.20

Looks good to me, passes `poudriere testport`, built package works nicely in my testing. I approve this patch. Thank you!
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-29 02:29:23 UTC
^Triage: Reporter is committer assign accordingly
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-07-29 20:46:24 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dd81af38c7e2c6ab123601a2e524c99a20eb704d

commit dd81af38c7e2c6ab123601a2e524c99a20eb704d
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-07-28 21:38:42 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-07-29 20:45:20 +0000

    mail/fetchmail: security update to 6.4.20

    Security:       cbfd1874-efea-11eb-8fe9-036bd763ff35
    Security:       CVE-2021-36386
    Approved by:    Corey Halpin (maintainer)
    PR:             257480
    MFH:            2021Q3

 mail/fetchmail/Makefile | 4 ++--
 mail/fetchmail/distinfo | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-07-29 20:46:25 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5310306bc3061893ee8cb07e83117a5b022b3af9

commit 5310306bc3061893ee8cb07e83117a5b022b3af9
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-07-28 21:38:42 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-07-29 20:46:05 +0000

    mail/fetchmail: security update to 6.4.20

    Security:       cbfd1874-efea-11eb-8fe9-036bd763ff35
    Security:       CVE-2021-36386
    Approved by:    Corey Halpin (maintainer)
    PR:             257480
    MFH:            2021Q3

    (cherry picked from commit dd81af38c7e2c6ab123601a2e524c99a20eb704d)

 mail/fetchmail/Makefile | 4 ++--
 mail/fetchmail/distinfo | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)