diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | configure.ac | 5 | ||||
| -rw-r--r-- | fetchmail-SA-2008-01.txt | 59 | ||||
| -rw-r--r-- | report.c | 4 |
4 files changed, 54 insertions, 16 deletions
@@ -61,6 +61,8 @@ fetchmail 6.3.9 (not yet released): random memory location (it calls va_arg() too often without resetting it with va_start()). Based on a patch (BerliOS patch #2492) by Petr Uzel, fixes Novell Bug #354291. + Note 6.3.9-rc1 did not completely fix this issue, so it was redrawn a few + hours after its release. See also fetchmail-SA-2008-01.txt. * When expunging, mark the right messages as seen to avoid message loss in "keep flush" configurations. Workaround for previous versions: "expunge 0". diff --git a/configure.ac b/configure.ac index f972b547..7364a2fa 100644 --- a/configure.ac +++ b/configure.ac @@ -8,7 +8,7 @@ dnl Autoconfigure input file for fetchmail dnl Process this file with autoconf to produce a configure script. dnl -AC_INIT([fetchmail],[6.3.9-rc1],[fetchmail-users@lists.berlios.de]) +AC_INIT([fetchmail],[6.3.9-rc2],[fetchmail-users@lists.berlios.de]) AC_CONFIG_SRCDIR([fetchmail.h]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_LIBOBJ_DIR([.]) @@ -61,6 +61,9 @@ AC_CHECK_HEADERS([unistd.h termios.h termio.h sgtty.h stdarg.h \ sys/itimer.h fcntl.h sys/fcntl.h memory.h sys/wait.h \ arpa/inet.h arpa/nameser.h netinet/in.h net/socket.h netdb.h \ sys/select.h sys/socket.h sys/time.h langinfo.h]) +if test _$ac_cv_header_stdarg_h != _yes ; then +AC_MSG_WARN([stdarg.h is not defined. Unsupported configuration, proceed at your own risk.]) +fi AC_CHECK_TYPE(u_int32_t,, AC_DEFINE(u_int32_t,unsigned int, [Define to unsigned int if <sys/types.h> does not define.]), diff --git a/fetchmail-SA-2008-01.txt b/fetchmail-SA-2008-01.txt index 18e330e7..40d2dd1a 100644 --- a/fetchmail-SA-2008-01.txt +++ b/fetchmail-SA-2008-01.txt @@ -6,7 +6,7 @@ fetchmail-SA-2008-01: Crash on large log messages in verbose mode Topics: Crash in large log messages in verbose mode. Author: Matthias Andree -Version: 1.1 +Version: 1.2 Announced: 2008-06-17 Type: Dereferencing garbage pointer triggered by outside circumstances Impact: denial of service possible @@ -18,12 +18,14 @@ CVE Name: CVE-2008-2711 URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt Project URL: http://www.fetchmail.info/ -Affects: fetchmail release < 6.3.9 exclusively +Affects: fetchmail release before and excluding 6.3.9 + fetchmail release candidate 6.3.9-rc1 Not affected: fetchmail release 6.3.9 and newer - systems without varargs (stdargs.h) support. + fetchmail release candidate 6.3.9-rc2 and newer + systems without varargs support. -Corrected: 2008-06-13 fetchmail SVN (rev 5193) +Corrected: 2008-06-24 fetchmail SVN (rev 5205) References: <https://bugzilla.novell.com/show_bug.cgi?id=354291> <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824> @@ -36,6 +38,7 @@ References: <https://bugzilla.novell.com/show_bug.cgi?id=354291> posted to oss-security) 2008-06-17 1.0 published on http://www.fetchmail.info/ 2008-06-17 1.1 Corrected typo in Type: above (trigged -> triggered) +2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel) 1. Background @@ -116,31 +119,38 @@ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. - B. Patch to remedy the problem ============================== +Note that when taking this from a GnuPG clearsigned file, the lines +starting with a "-" character are prefixed by another "- " (dash + +blank) combination. Either feed this file through GnuPG to strip them, +or strip them manually. + +Whitespace differences can usually be ignored by invoking "patch -l", +so try this if the patch does not apply. + diff --git a/report.c b/report.c -index 31d4e48..2a731ac 100644 +index 31d4e48..320e60b 100644 - --- a/report.c +++ b/report.c @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist) rep_ensuresize(); - + #if defined(VA_START) - - VA_START (args, message); for ( ; ; ) { + /* -+ * args has to be initialized before every call of vsnprintf(), -+ * because vsnprintf() invokes va_arg macro and thus args is ++ * args has to be initialized before every call of vsnprintf(), ++ * because vsnprintf() invokes va_arg macro and thus args is + * undefined after the call. + */ + VA_START(args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end (args); - + if (n >= 0 && (unsigned)n < partial_message_size - partial_message_size_used) @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist) @@ -151,12 +161,35 @@ index 31d4e48..2a731ac 100644 #else for ( ; ; ) { +@@ -304,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist) + rep_ensuresize(); + + #if defined(VA_START) +- - VA_START (args, message); + for ( ; ; ) + { ++ VA_START(args, message); + n = vsnprintf (partial_message + partial_message_size_used, + partial_message_size - partial_message_size_used, + message, args); ++ va_end(args); + + /* old glibc versions return -1 for truncation */ + if (n >= 0 +@@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist) + partial_message_size += 2048; + partial_message = REALLOC (partial_message, partial_message_size); + } +- - va_end (args); + #else + for ( ; ; ) + { END OF fetchmail-SA-2008-01.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) -iD8DBQFIV7e+vmGDOQUufZURAiAUAKCG1pBXEdVJPUr4WeIZXAr01jshkwCgvfb8 -6qqG2gZonX24W58gBEQ7Pjw= -=vwYl +iD8DBQFIYPBuvmGDOQUufZURAuj8AJ9IbN/UMcML6NLKSI0keQzGVGzZSQCg+UCP +tUVNigLK8Xz40J2Eg7PD8Xs= +=HAmn -----END PGP SIGNATURE----- @@ -309,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist) rep_ensuresize(); #if defined(VA_START) - VA_START (args, message); for ( ; ; ) { + VA_START(args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end(args); /* old glibc versions return -1 for truncation */ if (n >= 0 @@ -327,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist) partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - va_end (args); #else for ( ; ; ) { |