Fix --logfile and message truncation issue.

Regression in 6.4.20's security fix (Git commit c546c829).

We doubly incremented partial_message_size_used on modern systems
(stdard.h/vsnprintf), once in report_vbuild() and then again in
report_build(), so the 2nd and subsequent report_build() fragments
landed too late in the buffer.  This will not cause overruns due to the
reallocation prior to the vsnprintf/sprintf, but it write starts behind
the '\0' byte, instead of right over it, so the string also gets
truncated to the first fragment written with report_vbuild().

Fix by moving the increment back into the #else...#endif part that does
not use report_vbuild().

Reported by: Jürgen Edner, Erik Christiansen

1 files changed, 18 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 0cd3f968..b98f15d2 100644
--- a/NEWS
+++ b/NEWS
@@ -82,6 +82,24 @@ removed from a 6.5.0 or newer release.)
   server to test against. Use GSSAPI.
 
 --------------------------------------------------------------------------------
+fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
+
+# REGRESSION FIX:
+* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
+  messages logged to buffered outputs, predominantly --logfile.
+
+  This also caused lines in the logfile to run into one another because
+  the fragment containing the '\n' line-end character was usually lost.
+
+  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
+  interface), the length of log message fragments was added up twice, so
+  that these ended too deep into a freshly allocated buffer, after the '\0'
+  byte.  Unbuffered outputs flushed the fragments right away, which masked the
+  bug.
+
+  Reported by: Jürgen Edner, Erik Christiansen.
+
+--------------------------------------------------------------------------------
 fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):
 
 # SECURITY FIX: