From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 9 Aug 2021 17:42:29 +0200 Subject: Fix --logfile and message truncation issue. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Regression in 6.4.20's security fix (Git commit c546c829). We doubly incremented partial_message_size_used on modern systems (stdard.h/vsnprintf), once in report_vbuild() and then again in report_build(), so the 2nd and subsequent report_build() fragments landed too late in the buffer. This will not cause overruns due to the reallocation prior to the vsnprintf/sprintf, but it write starts behind the '\0' byte, instead of right over it, so the string also gets truncated to the first fragment written with report_vbuild(). Fix by moving the increment back into the #else...#endif part that does not use report_vbuild(). Reported by: Jürgen Edner, Erik Christiansen --- NEWS | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 0cd3f968..b98f15d2 100644 --- a/NEWS +++ b/NEWS @@ -81,6 +81,24 @@ removed from a 6.5.0 or newer release.) messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. +-------------------------------------------------------------------------------- +fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): + +# REGRESSION FIX: +* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of + messages logged to buffered outputs, predominantly --logfile. + + This also caused lines in the logfile to run into one another because + the fragment containing the '\n' line-end character was usually lost. + + Reason is that on all modern systems (with header and vsnprintf() + interface), the length of log message fragments was added up twice, so + that these ended too deep into a freshly allocated buffer, after the '\0' + byte. Unbuffered outputs flushed the fragments right away, which masked the + bug. + + Reported by: Jürgen Edner, Erik Christiansen. + -------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): -- cgit v1.2.3