| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While running a static code analysis tool (Parfait) on fetchmail, it found some
bugs:
Error: Memory leak (CWE 401)
Memory leak of pointer 'plugin_copy' allocated with malloc((plugin_copy_len + 1))
at line 137 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'parse_plugin'.
'plugin_copy' allocated at line 107 with malloc((plugin_copy_len + 1)).
plugin_copy leaks when plugin_copy_offset >= plugin_copy_len at line 114.
Error: Null pointer dereference (CWE 476)
Read from null pointer 'argvec'
at line 189 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
at line 190 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
(I realize these are on 6.3.22; I checked and verified that this portion of
the code is the same in 6.3.24.)
The attached patch fixes each of these.
(Note by Matthias Andree:
The NULL pointer dereference fix does not require error reporting,
because parse_plugin() will already have reported the out-of-memory
error that causes the NULL to be returned.)
|
|
|
|
|
|
|
|
|
| |
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older systems that provide the older RFC-2553 implementation of
getaddrinfo, rather than the current RFC-3493, and systems that do not
provide this getaddrinfo() interface at all and thus use the replacement
functions from libesmtp/getaddrinfo.?, might return EAI_NODATA when a
host is registered in DNS as MX or similar, but without A or AAAA
records. Handle this situation when checking for multidrop aliases and
treat EAI_NODATA the same as EAI_NONAME, i. e. name cannot be resolved.
The proper fix, however, is to upgrade the operating system.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
IBiblio no longer accepts submissions, and considers itself an archive.
There is no point in our carrying forward any related material, if
needed for reference purposes, it can be fetched from older versions in
the Git repository.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This would affect fetchmail configurations running with SSL in daemon mode
more than one-shot runs.
Reported by Erik Thiele, and pinned by Dominik, Debian Bug #688015.
This bug was introduced into fetchmail 6.2.9 (committed 2005-10-29)
when support for subjectAltName was added through a patch by Roland
Stigge, submitted as Debian Bug#201113.
|
|
|
|
| |
reported by Heinz Diehl.
|
| |
|
| |
|
|
|
|
| |
dubbed 6.3.22.2 for translation purposes.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
to encompass Maillennium POP3/UNIBOX (Maillennium V05.00c++). Reported
by Eddie via fetchmail-users mailing list, 2012-10-13.
|
|
|
|
|
| |
In case logfile overrides syslog, send a message to the latter stating
where logging goes. Also revise manual page.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scenario: you want to remote-control fetchmail, but you don't want to write
passwords into files, so you feed fetchmail a minimal rcfile via stdin with -f
-. this by itself works fine. if you also want or need to use a --plugin (eg.
socat for socks), then things fail badly: the plugin is run without a stdin fd,
hence can't take input from fetchmail, lots of fun ensues. plugins without -f
- work fine, it's just the combination that fails.
explanation: the root cause is rcfile_y.y, line 493, which closes whatever fd
carried the rcfile. with -f - this closes fetchmail's stdin - and so far that's
unproblematic. however, in socket.c lines 166ff things go wrong: fetchmail
sets up the plugin with a socketpair, which will likely include the first
unused fd - and fd zero is now indeed unused. in line 180ff a dup2 replumbing
from "that fd" (=zero) to zero is performed - and then "that fd" is closed.
and hey presto, we've got no fd zero = stdin for the plugin.
solution: the simplest solution (patch attached) is to make the fclose of the
rcfile conditional, ie. don't close if it's stdin. in the long run the
dup2+close code might be made more robust by not doing a dup2+close if fd[0] is
already 0 or 1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A patch to clear SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS was added recently:
http://gitorious.org/fetchmail/fetchmail/commit/48809c5b9f6c9081f4031fa938dd63b060c18a4b?format=patch
Older implementations of OpenSSL do not support SSL_CTX_clear_options().
This patch reworks the previous change to avoid the use of
SL_CTX_clear_options() and instead clears the corresponding bit in
SSL_OP_ALL before calling SSL_CTX_set_options().
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
The Python-related Makefile.am parts were simplified to avoid an
automake 1.11.X bug around noinst_PYTHON, Automake Bug #10995.
http://lists.gnu.org/archive/html/automake-patches/2012-03/txtbYNp7SPawU.txt
|
|
|
|
|
|
| |
The GSSAPI-related autoconf code now matches gssapi.c better, and uses
a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is to avoid reading from bad locations, and possibly conveying
confidential data. Credit to Nico Golde.
|
| |
|
| |
|