pool/fetchmail
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 924829 from server:mail

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/924829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fetchmail?expand=0&rev=93
This commit is contained in:
Dominique Leuenberger 2021-10-12 19:49:49 +00:00 committed by Git OBS Bridge
commit d13df626ed
9 changed files with 254 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fetchmail-6.4.21.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d
size 1318996

16
fetchmail-6.4.21.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERU34ACgkQ5BKxVu/z
hVr5axAAhaFZJ+WyIy6uEdi5a7vTm73DYSKJFd8knNI/1Luipb0XDCq92JOiWu9v
qdKOAvxRFbc2bWFXnaN4cHoHa/gnTU3O3xkVqexGZ0K8dysEwgMrKIqnEx36g2/5
bvTyJOBoxYT5zamepzBDKoOpbtNJb7yOfzayMaKKoVdgnTw+jWGXxwnQyx1pcewM
hGjY9SjgI4LSS8e28o/aeklGi0K8izZPWeSdq6NtWoN2SGF0wNevCCJTAU0fgzfG
L2KsCmGKizzFNrYNEF/OrTtjVkPU4fNRliXbisd87Vakz1ELRcPuWv/DgH2PBqdF
klIz5kHLKU04CmRS7ZLqKzatm5wZ5rNea8itLsx1azYik2rw9JRNZEgseA5xYwJb
1KglR6zhVaw3HnUtd42xFwHM4gArQuNOKsR3Ar51pDbtHJEmfM02GgKuUMoPL8iy
XEVyRKrm/ogCvqOLTJSIkuOBWiQ6S0TTgx0GeJWsWv4um0dBIHspjGqIyKb/skll
N96hcXsHLEOSHXF8+Be0psLJg7vMjpP5+LAzdArWwjO+lHaMz1MPiEmHvGgOR6EM
1WAoFwi7A2+uUeNKonlZ7R2w16hx2DPl08BjJ95a/cVMX3SF/Qe17ixaZIxglmSF
ejhIZzdwjRoFvidQYuDcEedHdlIaqok8JJK5VGEKHQBXa+83tjg=
=SQ77
-----END PGP SIGNATURE-----

3
fetchmail-6.4.22.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84
size 1330176

16
fetchmail-6.4.22.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmE/vEgACgkQ5BKxVu/z
hVqlTA//bMqmPdUfYjm6VYSy3n2v+arXSp1t3G3rKuWGUXsxu6w8YmTNgd7y+3b8
k5owzg60FOHYaG2icX+2DYfZlprWdsz8sI1fZRUH5xxe4ozAPg0iPbvSLiXqBNI8
uxewWTOt1pCSYQptaWF32wqZvcHtnHU0nEEEy0u3n1UG9vEbDoh7Ej9Z0TpvwnhA
54tU8vDV/sQdS+XN/DuWYfXp6cqrNg6P/eGUb877i+E2YoFsoqHrZV0A27IMTxOn
qTi0upysu0QyMRQo1Xd6zwjs7MyPudZ9pMoeXGu+wnFW6g8dDsnTx/SBh27sgssh
SwTnKYANztgDCGH2ySrLgX0QxseI8Y7JPNbfQDS3pkpPx5TQuO+aDQcQhXhzG94o
oez7/aUmSvAIbPKiF8Y1SQMoRms5iSNVJL8LyQNLOSDZziKT+fGzDVJhnNh3Jcn9
Pbj5oMYkcd8YKcjZYRXlwK4rbdcvA/79b3TuFMmcZ7eiTJHiy7i/C7R9qrYyxXao
c6ZmRjNuAYpL0TnFhIy/yUe/+mhse87a4I2XTk1CE1Z1RpNI4xPDHO+7EtSyTZDV
1rBs9tA2B7t/WcXVQxZDF4MqJ02TWZRwCgxRJGCMG7d28xvZaxpuZrZ9jlosQHt4
jEgoWvcboCCK0WOZlnpgtKwvd8SRoPoDxLJmnKc35r1dqsP4Aso=
=Qd4Q
-----END PGP SIGNATURE-----

74
fetchmail-add-imap-oauthbearer-support.patch
View File

@ -17,8 +17,10 @@ When configured, it will also fall back on trying xoauth2.
rcfile_l.l | 1 rcfile_l.l | 1
8 files changed, 136 insertions(+), 3 deletions(-) 8 files changed, 136 insertions(+), 3 deletions(-)
--- a/conf.c Index: fetchmail-6.4.22/conf.c
+++ b/conf.c ===================================================================
--- fetchmail-6.4.22.orig/conf.c
+++ fetchmail-6.4.22/conf.c
@@ -288,6 +288,8 @@ void dump_config(struct runctl *runp, st @@ -288,6 +288,8 @@ void dump_config(struct runctl *runp, st
stringdump("auth", "otp"); stringdump("auth", "otp");
else if (ctl->server.authenticate == A_MSN) else if (ctl->server.authenticate == A_MSN)
@ -28,9 +30,11 @@ When configured, it will also fall back on trying xoauth2.
#ifdef HAVE_RES_SEARCH #ifdef HAVE_RES_SEARCH
booldump("dns", ctl->server.dns); booldump("dns", ctl->server.dns);
--- a/fetchmail.c Index: fetchmail-6.4.22/fetchmail.c
+++ b/fetchmail.c ===================================================================
@@ -1766,6 +1766,9 @@ static void dump_params (struct runctl * --- fetchmail-6.4.22.orig/fetchmail.c
+++ fetchmail-6.4.22/fetchmail.c
@@ -1776,6 +1776,9 @@ static void dump_params (struct runctl *
case A_SSH: case A_SSH:
printf(GT_(" End-to-end encryption assumed.\n")); printf(GT_(" End-to-end encryption assumed.\n"));
break; break;
@ -40,8 +44,10 @@ When configured, it will also fall back on trying xoauth2.
} }
if (ctl->server.principal != (char *) NULL) if (ctl->server.principal != (char *) NULL)
printf(GT_(" Mail service principal is: %s\n"), ctl->server.principal); printf(GT_(" Mail service principal is: %s\n"), ctl->server.principal);
--- a/fetchmail.h Index: fetchmail-6.4.22/fetchmail.h
+++ b/fetchmail.h ===================================================================
--- fetchmail-6.4.22.orig/fetchmail.h
+++ fetchmail-6.4.22/fetchmail.h
@@ -79,6 +79,7 @@ struct addrinfo; @@ -79,6 +79,7 @@ struct addrinfo;
#define A_SSH 8 /* authentication at session level */ #define A_SSH 8 /* authentication at session level */
#define A_MSN 9 /* same as NTLM with keyword MSN */ #define A_MSN 9 /* same as NTLM with keyword MSN */
@ -58,9 +64,11 @@ When configured, it will also fall back on trying xoauth2.
#define PASSWORDLEN 256 /* max password length */ #define PASSWORDLEN 256 /* max password length */
#define DIGESTLEN 33 /* length of MD5 digest */ #define DIGESTLEN 33 /* length of MD5 digest */
--- a/fetchmail.man Index: fetchmail-6.4.22/fetchmail.man
+++ b/fetchmail.man ===================================================================
@@ -1001,7 +1001,7 @@ AUTHENTICATION below for details). The --- fetchmail-6.4.22.orig/fetchmail.man
+++ fetchmail-6.4.22/fetchmail.man
@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The
\&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
\fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@ -69,7 +77,7 @@ When configured, it will also fall back on trying xoauth2.
When \fBany\fP (the default) is specified, fetchmail tries When \fBany\fP (the default) is specified, fetchmail tries
first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
KERBEROS\ 5); then it looks for methods that mask your password KERBEROS\ 5); then it looks for methods that mask your password
@@ -1021,6 +1021,23 @@ GSSAPI or K4. Choosing KPOP protocol au @@ -1027,6 +1027,23 @@ GSSAPI or K4. Choosing KPOP protocol au
authentication. This option does not work with ETRN. GSSAPI service names are authentication. This option does not work with ETRN. GSSAPI service names are
in line with RFC-2743 and IANA registrations, see in line with RFC-2743 and IANA registrations, see
.URL https://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" . .URL https://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" .
@ -93,7 +101,7 @@ When configured, it will also fall back on trying xoauth2.
.SS Miscellaneous Options .SS Miscellaneous Options
.TP .TP
.B \-f <pathname> | \-\-fetchmailrc <pathname> .B \-f <pathname> | \-\-fetchmailrc <pathname>
@@ -2327,7 +2344,9 @@ Legal protocol identifiers for use with @@ -2333,7 +2350,9 @@ Legal protocol identifiers for use with
.PP .PP
Legal authentication types are 'any', 'password', 'kerberos', Legal authentication types are 'any', 'password', 'kerberos',
\&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
@ -104,9 +112,11 @@ When configured, it will also fall back on trying xoauth2.
The 'password' type specifies The 'password' type specifies
authentication by normal transmission of a password (the password may be authentication by normal transmission of a password (the password may be
plain text or subject to protocol-specific encryption as in CRAM-MD5); plain text or subject to protocol-specific encryption as in CRAM-MD5);
--- a/fetchmailconf.py Index: fetchmail-6.4.22/fetchmailconf.py
+++ b/fetchmailconf.py ===================================================================
@@ -487,7 +487,7 @@ defaultports = {"auto":None, --- fetchmail-6.4.22.orig/fetchmailconf.py
+++ fetchmail-6.4.22/fetchmailconf.py
@@ -500,7 +500,7 @@ defaultports = {"auto":None,
"ODMR":"odmr"} "ODMR":"odmr"}
authlist = ("any", "password", "gssapi", "kerberos", "ssh", "otp", authlist = ("any", "password", "gssapi", "kerberos", "ssh", "otp",
@ -115,8 +125,10 @@ When configured, it will also fall back on trying xoauth2.
listboxhelp = { listboxhelp = {
'title' : 'List Selection Help', 'title' : 'List Selection Help',
--- a/imap.c Index: fetchmail-6.4.22/imap.c
+++ b/imap.c ===================================================================
--- fetchmail-6.4.22.orig/imap.c
+++ fetchmail-6.4.22/imap.c
@@ -26,6 +26,10 @@ @@ -26,6 +26,10 @@
#define IMAP4 0 /* IMAP4 rev 0, RFC1730 */ #define IMAP4 0 /* IMAP4 rev 0, RFC1730 */
#define IMAP4rev1 1 /* IMAP4 rev 1, RFC2060 */ #define IMAP4rev1 1 /* IMAP4 rev 1, RFC2060 */
@ -128,16 +140,16 @@ When configured, it will also fall back on trying xoauth2.
/* global variables: please reinitialize them explicitly for proper /* global variables: please reinitialize them explicitly for proper
* working in daemon mode */ * working in daemon mode */
@@ -38,6 +42,8 @@ static int imap_version = IMAP4; @@ -51,6 +55,8 @@ static void clear_sessiondata(void) {
static flag do_idle = FALSE, has_idle = FALSE; * a const initializer */
static int expunge_period = 1; const char *const capa_begin = " [CAPABILITY "; const unsigned capa_len = 13;
+static int plus_cont_context = IPLUS_NONE; +static int plus_cont_context = IPLUS_NONE;
+ +
/* mailbox variables initialized in imap_getrange() */ /* mailbox variables initialized in imap_getrange() */
static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions = 0; static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions = 0;
static unsigned int startcount = 1; static unsigned int startcount = 1;
@@ -202,6 +208,21 @@ static int imap_response(int sock, char @@ -266,6 +272,21 @@ static int imap_response(int sock, char
if (ok != PS_SUCCESS) if (ok != PS_SUCCESS)
return(ok); return(ok);
@ -159,7 +171,7 @@ When configured, it will also fall back on trying xoauth2.
/* all tokens in responses are caseblind */ /* all tokens in responses are caseblind */
for (cp = buf; *cp; cp++) for (cp = buf; *cp; cp++)
if (islower((unsigned char)*cp)) if (islower((unsigned char)*cp))
@@ -316,6 +337,69 @@ static int do_imap_ntlm(int sock, struct @@ -396,6 +417,69 @@ static int do_imap_ntlm(int sock, struct
} }
#endif /* NTLM */ #endif /* NTLM */
@ -229,9 +241,9 @@ When configured, it will also fall back on trying xoauth2.
static void imap_canonicalize(char *result, char *raw, size_t maxlen) static void imap_canonicalize(char *result, char *raw, size_t maxlen)
/* encode an IMAP password as per RFC1730's quoting conventions */ /* encode an IMAP password as per RFC1730's quoting conventions */
{ {
@@ -510,6 +594,26 @@ static int imap_getauth(int sock, struct @@ -577,6 +661,26 @@ static int imap_getauth(int sock, struct
*/ for future maintenance */
ok = PS_AUTHFAIL; (void)ok;
+ if (ctl->server.authenticate == A_OAUTHBEARER) + if (ctl->server.authenticate == A_OAUTHBEARER)
+ { + {
@ -256,8 +268,10 @@ When configured, it will also fall back on trying xoauth2.
/* Yahoo hack - we'll just try ID if it was offered by the server, /* Yahoo hack - we'll just try ID if it was offered by the server,
* and IGNORE errors. */ * and IGNORE errors. */
{ {
--- a/options.c Index: fetchmail-6.4.22/options.c
+++ b/options.c ===================================================================
--- fetchmail-6.4.22.orig/options.c
+++ fetchmail-6.4.22/options.c
@@ -421,6 +421,8 @@ int parsecmdline (int argc /** argument @@ -421,6 +421,8 @@ int parsecmdline (int argc /** argument
ctl->server.authenticate = A_ANY; ctl->server.authenticate = A_ANY;
else if (strcmp(optarg, "msn") == 0) else if (strcmp(optarg, "msn") == 0)
@ -267,8 +281,10 @@ When configured, it will also fall back on trying xoauth2.
else { else {
fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg); fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg);
errflag++; errflag++;
--- a/rcfile_l.l Index: fetchmail-6.4.22/rcfile_l.l
+++ b/rcfile_l.l ===================================================================
--- fetchmail-6.4.22.orig/rcfile_l.l
+++ fetchmail-6.4.22/rcfile_l.l
@@ -106,6 +106,7 @@ cram(-md5)? { SETSTATE(0); yylval.proto @@ -106,6 +106,7 @@ cram(-md5)? { SETSTATE(0); yylval.proto
msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;} msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;}
ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;} ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;}

23
fetchmail-add-query_to64_outsize-utility-function.patch
View File

@ -9,11 +9,11 @@ Git-commit: cc6e146d516140df800da68976eb7c0aa1cef7c0
fetchmail.h | 1 + fetchmail.h | 1 +
2 files changed, 8 insertions(+) 2 files changed, 8 insertions(+)
diff --git a/base64.c b/base64.c Index: fetchmail-6.4.22/base64.c
index 3cd41691..25393b35 100644 ===================================================================
--- a/base64.c --- fetchmail-6.4.22.orig/base64.c
+++ b/base64.c +++ fetchmail-6.4.22/base64.c
@@ -61,6 +61,13 @@ fail: @@ -66,6 +66,13 @@ fail:
return rc; return rc;
} }
@ -27,16 +27,15 @@ index 3cd41691..25393b35 100644
int from64tobits(void *out_, const char *in, int maxlen) int from64tobits(void *out_, const char *in, int maxlen)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
/* maxlen limits output buffer size, set to zero to ignore */ /* maxlen limits output buffer size, set to zero to ignore */
diff --git a/fetchmail.h b/fetchmail.h Index: fetchmail-6.4.22/fetchmail.h
index 8b9dd6c4..2d378942 100644 ===================================================================
--- a/fetchmail.h --- fetchmail-6.4.22.orig/fetchmail.h
+++ b/fetchmail.h +++ fetchmail-6.4.22/fetchmail.h
@@ -638,6 +638,7 @@ int prc_filecheck(const char *, const flag); @@ -642,6 +642,7 @@ int prc_filecheck(const char *, const fl
/* base64.c */ /* base64.c */
unsigned len64frombits(unsigned inlen); /** calculate length needed to encode inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte himself. 2. returns 0 for inlen 0! */
int to64frombits(char *, const void *, int inlen, size_t outlen); int to64frombits(char *, const void *, int inlen, size_t outlen);
+size_t query_to64_outsize(size_t inlen); +size_t query_to64_outsize(size_t inlen);
int from64tobits(void *, const char *, int mxoutlen); int from64tobits(void *, const char *, int mxoutlen);
/* unmime.c */ /* unmime.c */

210
fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
View File

@ -16,11 +16,11 @@ Git-commit: 7b5c56f0fa3acb4c5589a4747c1921a311d8a464
create mode 100644 oauth2.c create mode 100644 oauth2.c
create mode 100644 oauth2.h create mode 100644 oauth2.h
diff --git a/Makefile.am b/Makefile.am Index: fetchmail-6.4.22/Makefile.am
index 1e800085..d747f895 100644 ===================================================================
--- a/Makefile.am --- fetchmail-6.4.22.orig/Makefile.am
+++ b/Makefile.am +++ fetchmail-6.4.22/Makefile.am
@@ -54,7 +54,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h \ @@ -68,7 +68,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h
fetchmail.c env.c idle.c options.c daemon.c \ fetchmail.c env.c idle.c options.c daemon.c \
driver.c transact.c sink.c smtp.c \ driver.c transact.c sink.c smtp.c \
idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \ idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \
@ -29,11 +29,11 @@ index 1e800085..d747f895 100644
unmime.c conf.c checkalias.c uid_db.h uid_db.c\ unmime.c conf.c checkalias.c uid_db.h uid_db.c\
lock.h lock.c \ lock.h lock.c \
rcfile_l.l rcfile_y.y \ rcfile_l.l rcfile_y.y \
diff --git a/fetchmail.man b/fetchmail.man Index: fetchmail-6.4.22/fetchmail.man
index d128ece1..aece716e 100644 ===================================================================
--- a/fetchmail.man --- fetchmail-6.4.22.orig/fetchmail.man
+++ b/fetchmail.man +++ fetchmail-6.4.22/fetchmail.man
@@ -928,7 +928,7 @@ This option permits you to specify an authentication type (see USER @@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The
\&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
\fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@ -42,7 +42,7 @@ index d128ece1..aece716e 100644
When \fBany\fP (the default) is specified, fetchmail tries When \fBany\fP (the default) is specified, fetchmail tries
first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
KERBEROS\ 5); then it looks for methods that mask your password KERBEROS\ 5); then it looks for methods that mask your password
@@ -2222,8 +2222,7 @@ Legal protocol identifiers for use with the 'protocol' keyword are: @@ -2351,8 +2351,7 @@ Legal protocol identifiers for use with
Legal authentication types are 'any', 'password', 'kerberos', Legal authentication types are 'any', 'password', 'kerberos',
\&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
(only for POP3), 'ntlm', 'ssh', 'external' (only IMAP), (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP),
@ -52,11 +52,11 @@ index d128ece1..aece716e 100644
The 'password' type specifies The 'password' type specifies
authentication by normal transmission of a password (the password may be authentication by normal transmission of a password (the password may be
plain text or subject to protocol-specific encryption as in CRAM-MD5); plain text or subject to protocol-specific encryption as in CRAM-MD5);
diff --git a/imap.c b/imap.c Index: fetchmail-6.4.22/imap.c
index 0ab10d31..e38706f5 100644 ===================================================================
--- a/imap.c --- fetchmail-6.4.22.orig/imap.c
+++ b/imap.c +++ fetchmail-6.4.22/imap.c
@@ -14,6 +14,7 @@ @@ -17,6 +17,7 @@
#include <limits.h> #include <limits.h>
#include <errno.h> #include <errno.h>
#endif #endif
@ -64,7 +64,7 @@ index 0ab10d31..e38706f5 100644
#include "socket.h" #include "socket.h"
#include "i18n.h" #include "i18n.h"
@@ -329,63 +330,23 @@ static int do_imap_ntlm(int sock, struct query *ctl) @@ -419,63 +420,23 @@ static int do_imap_ntlm(int sock, struct
static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2) static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2)
{ {
@ -134,11 +134,10 @@ index 0ab10d31..e38706f5 100644
return ok; return ok;
} }
diff --git a/oauth2.c b/oauth2.c Index: fetchmail-6.4.22/oauth2.c
new file mode 100644 ===================================================================
index 00000000..a8a324b8
--- /dev/null --- /dev/null
+++ b/oauth2.c +++ fetchmail-6.4.22/oauth2.c
@@ -0,0 +1,61 @@ @@ -0,0 +1,61 @@
+/* +/*
+ * oauth2.c -- oauthbearer and xoauth2 support + * oauth2.c -- oauthbearer and xoauth2 support
@ -201,11 +200,10 @@ index 00000000..a8a324b8
+ +
+ return oauth2b64; + return oauth2b64;
+} +}
diff --git a/oauth2.h b/oauth2.h Index: fetchmail-6.4.22/oauth2.h
new file mode 100644 ===================================================================
index 00000000..67ebfd6e
--- /dev/null --- /dev/null
+++ b/oauth2.h +++ fetchmail-6.4.22/oauth2.h
@@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
+#ifndef OAUTH2_H +#ifndef OAUTH2_H
+#define OAUTH2_H +#define OAUTH2_H
@ -213,11 +211,11 @@ index 00000000..67ebfd6e
+char *get_oauth2_string(struct query *ctl,flag xoauth2); +char *get_oauth2_string(struct query *ctl,flag xoauth2);
+ +
+#endif /*OAUTH2_H*/ +#endif /*OAUTH2_H*/
diff --git a/pop3.c b/pop3.c Index: fetchmail-6.4.22/pop3.c
index 076d890e..06fc0a0d 100644 ===================================================================
--- a/pop3.c --- fetchmail-6.4.22.orig/pop3.c
+++ b/pop3.c +++ fetchmail-6.4.22/pop3.c
@@ -15,6 +15,7 @@ @@ -20,6 +20,7 @@
#include <errno.h> #include <errno.h>
#include "fetchmail.h" #include "fetchmail.h"
@ -225,18 +223,18 @@ index 076d890e..06fc0a0d 100644
#include "socket.h" #include "socket.h"
#include "i18n.h" #include "i18n.h"
#include "uid_db.h" #include "uid_db.h"
@@ -55,6 +56,10 @@ flag has_ntlm = FALSE; @@ -52,6 +53,10 @@ static flag has_cram = FALSE;
#ifdef SSL_ENABLE static flag has_otp = FALSE;
static flag has_ntlm = FALSE;
static flag has_stls = FALSE; static flag has_stls = FALSE;
#endif /* SSL_ENABLE */
+static flag has_oauthbearer = FALSE; +static flag has_oauthbearer = FALSE;
+static flag has_xoauth2 = FALSE; +static flag has_xoauth2 = FALSE;
+ +
+static const char *next_sasl_resp = NULL; +static const char *next_sasl_resp = NULL;
/* mailbox variables initialized in pop3_getrange() */ static void clear_sessiondata(void) {
static int last; /* must match defaults above */
@@ -110,12 +115,65 @@ static int pop3_ok (int sock, char *argbuf) @@ -135,12 +140,65 @@ static int pop3_ok (int sock, char *argb
char buf [POPBUFSIZE+1]; char buf [POPBUFSIZE+1];
char *bufp; char *bufp;
@ -244,67 +242,69 @@ index 076d890e..06fc0a0d 100644
+ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{ bufp = buf; { bufp = buf;
- if (*bufp == '+' || *bufp == '-') - if (*bufp == '+' || *bufp == '-')
- bufp++;
- else
+ if (*bufp == '+') + if (*bufp == '+')
+ { + {
bufp++; + bufp++;
+ if (*bufp == ' ' && next_sasl_resp != NULL) + if (*bufp == ' ' && next_sasl_resp != NULL)
+ { + {
+ /* Currently only used for OAUTHBEARER/XOAUTH2, and only + /* Currently only used for OAUTHBEARER/XOAUTH2, and only
+ * rarely even then. + * rarely even then.
+ * + *
+ * This is the only case where the top while() actually + * This is the only case where the top while() actually
+ * loops. + * loops.
+ * + *
+ * For OAUTHBEARER, data aftetr '+ ' is probably + * For OAUTHBEARER, data aftetr '+ ' is probably
+ * base64-encoded JSON with some HTTP-related error details. + * base64-encoded JSON with some HTTP-related error details.
+ */ + */
+ if (*next_sasl_resp != '\0') + if (*next_sasl_resp != '\0')
+ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp)); + SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp));
+ SockWrite(sock, "\r\n", 2); + SockWrite(sock, "\r\n", 2);
+ if (outlevel >= O_MONITOR) + if (outlevel >= O_MONITOR)
+ { + {
+ const char *found; + const char *found;
+ if (shroud[0] && (found = strstr(next_sasl_resp, shroud))) + if (shroud[0] && (found = strstr(next_sasl_resp, shroud)))
+ { + {
+ /* enshroud() without copies, and avoid + /* enshroud() without copies, and avoid
+ * confusing with a genuine "*" (cancel). + * confusing with a genuine "*" (cancel).
+ */ + */
+ report(stdout, "POP3> %.*s[SHROUDED]%s\n", + report(stdout, "POP3> %.*s[SHROUDED]%s\n",
+ (int)(found-next_sasl_resp), next_sasl_resp, + (int)(found-next_sasl_resp), next_sasl_resp,
+ found+strlen(shroud)); + found+strlen(shroud));
+ } + }
+ else + else
+ { + {
+ report(stdout, "POP3> %s\n", next_sasl_resp); + report(stdout, "POP3> %s\n", next_sasl_resp);
+ } + }
+ } + }
+ +
+ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*') + if (*next_sasl_resp == '\0' || *next_sasl_resp == '*')
+ { + {
+ /* No more responses expected, cancel AUTH command if + /* No more responses expected, cancel AUTH command if
+ * more responses requested. + * more responses requested.
+ */ + */
+ next_sasl_resp = "*"; + next_sasl_resp = "*";
+ } + }
+ else + else
+ { + {
+ next_sasl_resp = ""; + next_sasl_resp = "";
+ } + }
+ continue; + continue;
+ } + }
+ } + }
+ else if (*bufp == '-') + else if (*bufp == '-')
+ { + {
+ bufp++; + bufp++;
+ } + }
else + else
+ { + {
return(PS_PROTOCOL); return(PS_PROTOCOL);
+ } + }
while (isalpha((unsigned char)*bufp)) while (isalpha((unsigned char)*bufp))
bufp++; bufp++;
@@ -184,6 +242,8 @@ static int pop3_ok (int sock, char *argbuf) @@ -209,6 +267,8 @@ static int pop3_ok (int sock, char *argb
#endif #endif
if (argbuf != NULL) if (argbuf != NULL)
strcpy(argbuf,bufp); strcpy(argbuf,bufp);
@ -313,22 +313,33 @@ index 076d890e..06fc0a0d 100644
} }
return(ok); return(ok);
@@ -212,11 +272,13 @@ static int capa_probe(int sock) @@ -237,11 +297,13 @@ static int capa_probe(int sock)
#ifdef NTLM_ENABLE #ifdef NTLM_ENABLE
has_ntlm = FALSE; has_ntlm = FALSE;
#endif /* NTLM_ENABLE */ #endif /* NTLM_ENABLE */
+ has_oauthbearer = FALSE; + has_oauthbearer = FALSE;
+ has_xoauth2 = FALSE; + has_xoauth2 = FALSE;
ok = gen_transact(sock, "CAPA"); ok = gen_transact(sock, "CAPA");
if (ok == PS_SUCCESS) if (ok == PS_SUCCESS)
{ {
- char buffer[64]; - char buffer[64];
+ char buffer[128]; + char buffer[128];
char *cp;
/* determine what authentication methods we have available */ /* determine what authentication methods we have available */
while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0) @@ -256,6 +318,10 @@ static int capa_probe(int sock)
@@ -246,6 +308,12 @@ static int capa_probe(int sock) if (strstr(buffer, "STLS"))
has_stls = TRUE;
#endif /* SSL_ENABLE */
+static flag has_oauthbearer = FALSE;
+static flag has_xoauth2 = FALSE;
+
+static const char *next_sasl_resp = NULL;
#if defined(GSSAPI)
if (strstr(buffer, "GSSAPI"))
@@ -279,6 +345,12 @@ static int capa_probe(int sock)
if (strstr(buffer, "CRAM-MD5")) if (strstr(buffer, "CRAM-MD5"))
has_cram = TRUE; has_cram = TRUE;
@ -341,7 +352,7 @@ index 076d890e..06fc0a0d 100644
} }
} }
done_capa = TRUE; done_capa = TRUE;
@@ -312,6 +380,40 @@ static int do_apop(int sock, struct query *ctl, char *greeting) @@ -295,6 +367,40 @@ static void set_peek_capable(struct quer
peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl); peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl);
} }
@ -382,7 +393,7 @@ index 076d890e..06fc0a0d 100644
static int pop3_getauth(int sock, struct query *ctl, char *greeting) static int pop3_getauth(int sock, struct query *ctl, char *greeting)
/* apply for connection authorization */ /* apply for connection authorization */
{ {
@@ -436,6 +538,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) @@ -374,6 +480,7 @@ static int pop3_getauth(int sock, struct
(ctl->server.authenticate == A_KERBEROS_V5) || (ctl->server.authenticate == A_KERBEROS_V5) ||
(ctl->server.authenticate == A_OTP) || (ctl->server.authenticate == A_OTP) ||
(ctl->server.authenticate == A_CRAM_MD5) || (ctl->server.authenticate == A_CRAM_MD5) ||
@ -390,7 +401,7 @@ index 076d890e..06fc0a0d 100644
maybe_starttls(ctl)) maybe_starttls(ctl))
{ {
if ((ok = capa_probe(sock)) != PS_SUCCESS) if ((ok = capa_probe(sock)) != PS_SUCCESS)
@@ -540,6 +643,19 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) @@ -523,6 +630,19 @@ static int pop3_getauth(int sock, struct
/* /*
* OK, we have an authentication type now. * OK, we have an authentication type now.
*/ */
@ -410,6 +421,3 @@ index 076d890e..06fc0a0d 100644
#if defined(KERBEROS_V4) #if defined(KERBEROS_V4)
/* /*
* Servers doing KPOP have to go through a dummy login sequence * Servers doing KPOP have to go through a dummy login sequence
--
2.31.1

69
fetchmail.changes
View File

@ -1,3 +1,72 @@
-------------------------------------------------------------------
Wed Oct 6 15:00:19 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
* OPENSSL AND LICENSING NOTE:
- fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual
OpenSSL/SSLeay license to Apache License v2.0, which is
considered incompatible with GPL v2 by the FSF. For
implications and details, see the file COPYING.
* SECURITY FIXES:
- CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
without --ssl and with nonempty --sslproto, meaning that
fetchmail is to enforce TLS, and when the server or an attacker
sends a PREAUTH greeting, fetchmail used to continue an
unencrypted connection. Now, log the error and abort the
connection. --Recommendation for servers that support
SSL/TLS-wrapped or "implicit" mode on a dedicated port
(default 993): use --ssl, or the ssl user option in an rcfile.
- On IMAP and POP3 connections, --auth ssh no longer prevents
STARTTLS negotiation.
- On IMAP connections, fetchmail does not permit overriding
a server-side LOGINDISABLED with --auth password any more.
- On POP3 connections, the possibility for RPA authentication
(by probing with an AUTH command without arguments) no longer
prevents STARTTLS negotiation.
- For POP3 connections, only attempt RPA if the authentication
type is "any".
* BUG FIXES:
- On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
have received the tagged (= final) response, do not send "*".
- On IMAP connections, AUTHENTICATE EXTERNAL without username
will properly send a "=" for protocol compliance.
- On IMAP connections, AUTHENTICATE EXTERNAL will now check if
the server advertised SASL-IR (RFC-4959) support and otherwise
refuse (fetchmail <= 6.4 has not supported and does not support
the separate challenge/response with command continuation)
- On IMAP connections, when --auth external is requested but not
advertised by the server, log a proper error message.
- Fetchmail no longer crashes when attempting a connection with
--plugin "" or --plugout "".
- Fetchmail no longer leaks memory when processing the arguments
of --plugin or --plugout on connections.
- On POP3 connections, the CAPAbilities parser is now caseblind.
- Fix segfault on configurations with "defaults ... no envelope".
This is a regression in fetchmail 6.4.3 and happened when
plugging memory leaks, which did not account for that the
envelope parameter is special when set as "no envelope". The
segfault happens in a constant strlen(-1), triggered by trusted
local input => no vulnerability.
- Fix program abort (SIGABRT) with "internal error" when invalid
sslproto is given with OpenSSL 1.1.0 API compatible SSL
implementations.
* CHANGES:
- IMAP: When fetchmail is in not-authenticated state and the server
volunteers CAPABILITY information, use it and do not re-probe.
(After STARTTLS, fetchmail must and will re-probe explicitly.)
- For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl
option do not match, emit a warning and continue.
- fetchmail.man and README.SSL were updated in line with
RFC-8314/8996/8997 recommendations to prefer Implicit TLS
(--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+
more prominently. The defaults shall not change between 6.4.X
releases for compatibility.
* Rebase patches:
fetchmail-add-imap-oauthbearer-support.patch
fetchmail-add-query_to64_outsize-utility-function.patch
fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 14 08:55:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com> Tue Sep 14 08:55:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

2
fetchmail.spec
View File

@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: fetchmail Name: fetchmail
Version: 6.4.21 Version: 6.4.22
Release: 0 Release: 0
Summary: Full-Featured POP and IMAP Mail Retrieval Daemon Summary: Full-Featured POP and IMAP Mail Retrieval Daemon
License: GPL-2.0-or-later License: GPL-2.0-or-later