Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3.

1 files changed, 40 insertions, 22 deletions

diff --git a/fetchmail-SA-2021-01.txt b/fetchmail-SA-2021-01.txt
index 2a5ca262..3ad2b47e 100644
--- a/fetchmail-SA-2021-01.txt
+++ b/fetchmail-SA-2021-01.txt
@@ -6,8 +6,8 @@ fetchmail-SA-2021-01: DoS or information disclosure logging long messages
 Topics:		fetchmail denial of service or information disclosure when logging long messages
 
 Author:		Matthias Andree
-Version:	1.2
-Announced:	2021-07-28 (original), 2021-08-03 (last update)
+Version:	1.3
+Announced:	2021-07-28 (original), 2021-08-09 (last update)
 Type:		missing variable initialization can cause read from bad memory
 		locations
 Impact:		fetchmail logs random information, or segfaults and aborts,
@@ -23,15 +23,18 @@ Project URL:	https://www.fetchmail.info/
 
 Affects:	- fetchmail releases up to and including 6.3.8
 		- fetchmail releases 6.3.17 up to incl. 6.4.19
+		  (but note 6.4.20 regresses for buffered output,
+		   f.i. with --logfile)
 
-Not affected:	- fetchmail releases 6.4.20 and newer
+Not affected:	- fetchmail releases 6.4.21 and newer
+		  (fetchmail 6.4.20 fixes the immediate bug but regresses
+		   and causes message truncation on buffered output)
 		- fetchmail releases 6.3.9 to 6.3.16
 
-Corrected in:	c546c829 Git commit hash
-		2021-07-28 fetchmail 6.4.20 release tarball
+Corrected in:	c546c829 + d3db2da1 Git commit hash (both needed)
+		2021-08-09 fetchmail 6.4.21 release tarball
 		2021-08-03 7.0.0-alpha9/6.5.0-beta4 snapshots
 
-
 0. Release history
 ==================
 
@@ -39,6 +42,7 @@ Corrected in:	c546c829 Git commit hash
 2021-07-28 1.0	release
 2021-07-28 1.1	update Git commit hash with correction
 2021-08-03 1.2  add references to CVE-2008-2711/fetchmail-SA-2008-01
+2021-08-09 1.3  mention buffered logging regression (--logfile)
 
 
 1. Background
@@ -71,7 +75,7 @@ some systems log literally "(null)", some systems trigger SIGSEGV (signal
 #11), which crashes fetchmail, causing a denial of service on fetchmail's end.
 
 The same bug then named CVE-2008-2711 had already been fixed in fetchmail 6.3.9,
-but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010) 
+but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010)
 reintroduced the bug.
 Fetchmail versions 6.4.19 and older are no longer supported, however.
 
@@ -81,17 +85,31 @@ The bugfix used in 6.4.20 uses a different, more thorough, approach.
 3. Solution
 ===========
 
-Install fetchmail 6.4.20 or newer.
+Install fetchmail 6.4.21 or newer.
 
 The fetchmail source code is available from
 <https://sourceforge.net/projects/fetchmail/files/>.
 
 Distributors are encouraged to review the NEWS file and move forward to
-6.4.20, rather than backport individual security fixes, because doing so
+6.4.21, rather than backport individual security fixes, because doing so
 routinely misses other fixes crucial to fetchmail's proper operation,
 for which no security announcements are issued, or documentation,
 or translation updates.
 
+The regression fix for the new non-security bug in 6.4.20 that causes
+log message truncation simply consists of editing report.c to rotate lines 289 
+through 291, such that the /corrected/ report.c then looks like this:
+
+   286	    n = snprintf (partial_message + partial_message_size_used,
+   287			    partial_message_size - partial_message_size_used,
+   288			    message, a1, a2, a3, a4, a5, a6, a7, a8);
+   289
+   290	    if (n > 0) partial_message_size_used += n;
+   291	#endif
+   292
+   293	    if (unbuffered && partial_message_size_used != 0)
+
+
 Fetchmail 6.4.X releases have been made with a focus on unchanged user and
 program interfaces so as to avoid disruptions when upgrading from 6.3.Z or
 6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface
@@ -114,17 +132,17 @@ Use the information herein at your own risk.
 END of fetchmail-SA-2021-01
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEJW1kACgkQ5BKxVu/z
-hVrcow//VOWtxFhC1H/BSUsyrx4n+vXJjpBxgu9uK/1RlA7//Bldh8y7X6XgfeBp
-yEKwW71ecdLv4GAzDYoQ5ejrIWwjwkP4hOpFFrXBfv542qgUNIBXCJIkm8Ws4bF2
-IjWWfHqHrvQLaxdZ9R00GPr+3cKsc8OHjkq2tX23uBBgQ4xPn/Q6veBbm/Ok9lUn
-Oge7ffn4eiHZ1d04sH/SyB6raEQuXyCAYVT1a2BBPiMUwsKBDj/LF7OtBrpRbdr9
-Sc1McL99w1lE85j1BI8xRFCmx+FuK2QQBfi1zst99b3IV+MYRC2vuowieMdzy37M
-Wf6TtVWwWoZdxrRG0LIok43Kn4pklrFA67Wk4vCepxULOvlMPUsiCsv5TBJOdq2I
-oLXpquSYz20BxyS3OxS2uu5WgD9IWMOJIn7ZoA8GqHLgSvClmD11njvQJq7bCUNu
-SP6DC+WWbwoWM1oYZS2IHVccIh/rMvu2nptRz6adVASMebnY7rZCveN0YmcSXBUU
-RbCW1cav1VO+BPvlV3AIX6VEjv7q9s839AieLTCkdar7LKf/ktKXQlNAtqbnPW5Q
-O7ujhs+VvjlB7IfjhnoF77tu5NDtktTGgyW37XQPPLwpgpyvEyEWmzvB4hoxrWfV
-+WNNfwmc6sUEs4hzgBmgtaX2exBvWscKk5xe5ks5ULRLJLZ9PnY=
-=NnuJ
+iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERUo4ACgkQ5BKxVu/z
+hVrq4RAAnvtDbwEvjSEWFVvmZTG7qcrOxAs1SCb+dp33PKy8EPfzE3vjCHEsrwRv
+XjX6dKWK61wG7+7kGUyeNlBXASWso2BSR9TypRVi2PXK5aKUgSi0qs0eGpR11jnx
+QN9b96rklFb6odJVua/PwWKUG6vBILX1o8DgvoMX4B5S7LipgD/gecuqQyD0t0l5
+TSyJZRaU763B7c4sZjuEwXtfqA49AbBSICq7qAbOa5R695ZelDvFgV3HHCoJIZqN
+W2gMtsfCDboyViDf5jHllnbUmAl4bPCHOOcC53zfsESL37/pNYxgAsY2RHyWyhbU
+yqVNH/0XTA5UxjN3i81mPbIo0oPI1Yejsbk+V73bI8hBaDtwqZ3BtU/gRYN5ODQi
+w2DokSJ5cju7mDX4Ua05ee5n7U3291SJIc/XiMRDh2FauRM1JF2TeLwtgN0iwLM/
+OxZZSjtLrb/X2noBa3jRbJ5sho94mw/suW5jyuVAxKZzJCzgp45f7AeuqtvzYi1X
+0TWLwQCEjoPBAySpdi36AZmJfiY2gfFgVSXlE5Piekg4n/QRRn+Qt9227WKJKkH2
+IwTqDIBkvjHXMnmNZTHLf28kKesF0BfYMpo9kDn+Cg4Gln4r0T4zRBB8HwljWfnx
+j/4EAI+Nl9NpZ+xZFJe3YBJeOsXpSc+MAqK6tNWK4sKDCzHtnVU=
+=NnPX
 -----END PGP SIGNATURE-----