From 5cca5d1e300a41bda91b983c8ccf7fbb60ccb957 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Thu, 26 Aug 2021 23:53:14 +0200
Subject: fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported by Bjørn Mork, fixes Debian Bug#992400.

Crash happens inside xstrdup() on a strlen((char *)-1) where
the argument is constant and the trigger is a local trusted
configuration file, so not deemed a vulnerability.
---
 NEWS | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 63a8cfcb..927448ac 100644
--- a/NEWS
+++ b/NEWS
@@ -125,6 +125,11 @@ fetchmail-6.4.22 (not yet released):
 * Fetchmail no longer leaks memory when processing the arguments of --plugin or 
   --plugout on connections.
 * On POP3 connections, the CAPAbilities parser is now caseblind.
+* Fix segfault on configurations with "defaults ... no envelope". Reported by  
+  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
+  and happened when plugging memory leaks, which did not account for that the 
+  envelope parameter is special when set as "no envelope". The segfault happens
+  in a constant strlen(-1), triggered by trusted local input => no vulnerability.
 
 # CHANGES:
 * IMAP: When fetchmail is in not-authenticated state and the server volunteers 
-- 
cgit v1.2.3