OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fetchmail?expand=0&rev=9

fetchmail-6.3.8-CVE-2007-4565.patch

@@ -0,0 +1,11 @@
+--- sink.c
++++ sink.c
+@@ -262,7 +262,7 @@
+     const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
+ 
+     /* don't bounce in reply to undeliverable bounces */
+-    if (!msg->return_path[0] ||
++    if (!msg || !msg->return_path[0] ||
+ 	strcmp(msg->return_path, "<>") == 0 ||
+ 	strcasecmp(msg->return_path, md1) == 0 ||
+ 	strncasecmp(msg->return_path, md2, strlen(md2)) == 0)

fetchmail-6.3.8-starttls.patch

@@ -0,0 +1,29 @@
+# Patches fetchmail's behaviour for SMTP servers which insist
+# on using TLS - we do not want messages which cannot be
+# sent due to server negotiation problems lost - rather we
+# keep them on the mailserver. As users should realize rather
+# quickly that something went wrong, the overhead shouldn't
+# be considered that important.
+--- fetchmail-6.3.8.orig/sink.c	2007-03-30 00:45:17.000000000 +0200
++++ fetchmail-6.3.8.new/sink.c	2007-09-25 17:37:49.332165910 +0200
+@@ -535,7 +535,19 @@
+ 	free(responses[0]);
+ 	return(PS_REFUSED);
+ 
+-    default:
++    case 530: /* must issue STARTTLS error */
++	/*
++	 * Some SMTP servers insist on encrypted communication
++	 * Let's set PS_TRANSIENT, otherwise all messages to be sent 
++	 * over such server would be blackholed
++	 */
++	free(responses[0]);
++	if (outlevel > O_SILENT)
++		report_complete(stdout, 
++				GT_(" SMTP server requires STARTTLS, keeping message.\n"));
++	return(PS_TRANSIENT);
++    
++	default:
+ 	/* bounce non-transient errors back to the sender */
+ 	if (smtperr >= 500 && smtperr <= 599)
+ 	{

fetchmail.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep 27 20:50:39 CEST 2007 - pcerny@suse.de
+
+- Fix for DoS vulnerability (#308271 CVE-2007-4565)
+- Do not remove messages if SMTP insists on TLS (#246829)
+  [fetchmail-6.3.8-starttls.patch]
+
 -------------------------------------------------------------------
 Tue Sep 11 15:15:14 CEST 2007 - ro@suse.de
 

fetchmail.spec

@@ -12,17 +12,19 @@
 
 Name:           fetchmail
 BuildRequires:  dante-devel ed krb5-devel openssl-devel opie postfix procmail pwdutils python-devel
-License:        GPL v2 or later, Other uncritical OpenSource License, GPL, InnerNet Version 2 license (with the advertising clause removed for GPL compatibility), public-domain
+License:        GPL v2 or later; Other uncritical OpenSource License; Public Domain, Freeware
 Group:          Productivity/Networking/Email/Utilities
-Autoreqprov:    on
+AutoReqProv:    on
 Version:        6.3.8
-Release:        51
+Release:        58
 Source:         %{name}-%{version}.tar.bz2
 Source1:        %{name}.init
 Source2:        %{name}.logrotate
 Source3:        sysconfig.%{name}
+Patch0:         fetchmail-6.3.8-CVE-2007-4565.patch
+Patch1:         fetchmail-6.3.8-starttls.patch
 PreReq:         %insserv_prereq %fillup_prereq coreutils
-URL:            http://www.fetchmail.info/
+Url:            http://www.fetchmail.info/
 Icon:	        fetchmail.xpm
 Requires:       smtp_daemon
 Provides:       pop:/usr/bin/fetchmail
@@ -55,7 +57,6 @@ Authors:
 Summary:        Fetchmail Configuration Utility
 Group:          Productivity/Networking/Email/Utilities
 Requires:       %{name} = %{version} python-tk
-
 %py_requires
 
 %description -n fetchmailconf
@@ -74,6 +75,8 @@ Authors:
 
 %prep
 %setup -q
+%patch0
+%patch1 -p1
 cp -a %{S:1} %{S:2} %{S:3} .
 
 %build
@@ -154,8 +157,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/fetchmailconf
 %doc %{_mandir}/man1/fetchmailconf.1.gz
 %{py_sitedir}/fetchmailconf.*
-
 %changelog
+* Thu Sep 27 2007 - pcerny@suse.de
+- Fix for DoS vulnerability (#308271 CVE-2007-4565)
+- Do not remove messages if SMTP insists on TLS (#246829)
+  [fetchmail-6.3.8-starttls.patch]
 * Tue Sep 11 2007 - ro@suse.de
 - remove librsaref2-devel from buildrequires (unused)
 * Fri Aug 31 2007 - pcerny@suse.cz