diff --git a/fetchmail-6.3.8-CVE-2007-4565.patch b/fetchmail-6.3.8-CVE-2007-4565.patch new file mode 100644 index 0000000..2c91776 --- /dev/null +++ b/fetchmail-6.3.8-CVE-2007-4565.patch @@ -0,0 +1,11 @@ +--- sink.c ++++ sink.c +@@ -262,7 +262,7 @@ + const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@"; + + /* don't bounce in reply to undeliverable bounces */ +- if (!msg->return_path[0] || ++ if (!msg || !msg->return_path[0] || + strcmp(msg->return_path, "<>") == 0 || + strcasecmp(msg->return_path, md1) == 0 || + strncasecmp(msg->return_path, md2, strlen(md2)) == 0) diff --git a/fetchmail-6.3.8-starttls.patch b/fetchmail-6.3.8-starttls.patch new file mode 100644 index 0000000..2855ad6 --- /dev/null +++ b/fetchmail-6.3.8-starttls.patch @@ -0,0 +1,29 @@ +# Patches fetchmail's behaviour for SMTP servers which insist +# on using TLS - we do not want messages which cannot be +# sent due to server negotiation problems lost - rather we +# keep them on the mailserver. As users should realize rather +# quickly that something went wrong, the overhead shouldn't +# be considered that important. +--- fetchmail-6.3.8.orig/sink.c 2007-03-30 00:45:17.000000000 +0200 ++++ fetchmail-6.3.8.new/sink.c 2007-09-25 17:37:49.332165910 +0200 +@@ -535,7 +535,19 @@ + free(responses[0]); + return(PS_REFUSED); + +- default: ++ case 530: /* must issue STARTTLS error */ ++ /* ++ * Some SMTP servers insist on encrypted communication ++ * Let's set PS_TRANSIENT, otherwise all messages to be sent ++ * over such server would be blackholed ++ */ ++ free(responses[0]); ++ if (outlevel > O_SILENT) ++ report_complete(stdout, ++ GT_(" SMTP server requires STARTTLS, keeping message.\n")); ++ return(PS_TRANSIENT); ++ ++ default: + /* bounce non-transient errors back to the sender */ + if (smtperr >= 500 && smtperr <= 599) + { diff --git a/fetchmail.changes b/fetchmail.changes index 1c38236..db99cb8 100644 --- a/fetchmail.changes +++ b/fetchmail.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 27 20:50:39 CEST 2007 - pcerny@suse.de + +- Fix for DoS vulnerability (#308271 CVE-2007-4565) +- Do not remove messages if SMTP insists on TLS (#246829) + [fetchmail-6.3.8-starttls.patch] + ------------------------------------------------------------------- Tue Sep 11 15:15:14 CEST 2007 - ro@suse.de diff --git a/fetchmail.spec b/fetchmail.spec index 5a1df79..9245ee8 100644 --- a/fetchmail.spec +++ b/fetchmail.spec @@ -12,17 +12,19 @@ Name: fetchmail BuildRequires: dante-devel ed krb5-devel openssl-devel opie postfix procmail pwdutils python-devel -License: GPL v2 or later, Other uncritical OpenSource License, GPL, InnerNet Version 2 license (with the advertising clause removed for GPL compatibility), public-domain +License: GPL v2 or later; Other uncritical OpenSource License; Public Domain, Freeware Group: Productivity/Networking/Email/Utilities -Autoreqprov: on +AutoReqProv: on Version: 6.3.8 -Release: 51 +Release: 58 Source: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.logrotate Source3: sysconfig.%{name} +Patch0: fetchmail-6.3.8-CVE-2007-4565.patch +Patch1: fetchmail-6.3.8-starttls.patch PreReq: %insserv_prereq %fillup_prereq coreutils -URL: http://www.fetchmail.info/ +Url: http://www.fetchmail.info/ Icon: fetchmail.xpm Requires: smtp_daemon Provides: pop:/usr/bin/fetchmail @@ -55,7 +57,6 @@ Authors: Summary: Fetchmail Configuration Utility Group: Productivity/Networking/Email/Utilities Requires: %{name} = %{version} python-tk - %py_requires %description -n fetchmailconf @@ -74,6 +75,8 @@ Authors: %prep %setup -q +%patch0 +%patch1 -p1 cp -a %{S:1} %{S:2} %{S:3} . %build @@ -154,8 +157,11 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/fetchmailconf %doc %{_mandir}/man1/fetchmailconf.1.gz %{py_sitedir}/fetchmailconf.* - %changelog +* Thu Sep 27 2007 - pcerny@suse.de +- Fix for DoS vulnerability (#308271 CVE-2007-4565) +- Do not remove messages if SMTP insists on TLS (#246829) + [fetchmail-6.3.8-starttls.patch] * Tue Sep 11 2007 - ro@suse.de - remove librsaref2-devel from buildrequires (unused) * Fri Aug 31 2007 - pcerny@suse.cz