From ad71aaf14df1ae20b183abb6985441e02211eeefd236f40a49138ef7a4bd7b34 Mon Sep 17 00:00:00 2001
From: Angel Yankov <angel.yankov@suse.com>
Date: Wed, 5 Nov 2025 10:21:44 +0200
Subject: [PATCH] Fix CVE-2025-61962

---
 fetchmail-CVE-2025-61962.patch | 44 ++++++++++++++++++++++++++++++++++
 fetchmail.changes              |  6 +++++
 fetchmail.spec                 |  2 ++
 3 files changed, 52 insertions(+)
 create mode 100644 fetchmail-CVE-2025-61962.patch

diff --git a/fetchmail-CVE-2025-61962.patch b/fetchmail-CVE-2025-61962.patch
new file mode 100644
index 0000000..1962a71
--- /dev/null
+++ b/fetchmail-CVE-2025-61962.patch
@@ -0,0 +1,44 @@
+commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
+Author: Matthias Andree <matthias.andree@gmx.de>
+Date:   Fri Oct 3 13:11:59 2025 +0200
+
+    Security fix: avoid NULL+1 deref on invalid AUTH reply
+    
+    When fetchmail receives a 334 reply from the SMTP server
+    that does not contain the mandated blank after that response
+    code, it will attempt reading from memory location 1, which
+    will usually lead to a crash.
+    
+    The simpler fix would have been to check for four bytes "334 "
+    instead of three bytes "334" but that would make malformed
+    replies and those that don't match the expected reply code
+    indistinguishable.
+
+Index: fetchmail-6.5.2/smtp.c
+===================================================================
+--- fetchmail-6.5.2.orig/smtp.c
++++ fetchmail-6.5.2/smtp.c
+@@ -93,6 +93,11 @@ static void SMTP_auth(int sock, char smt
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		/* (hmh) from64tobits will not NULL-terminate strings! */
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+@@ -146,6 +151,11 @@ static void SMTP_auth(int sock, char smt
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+ 			SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
diff --git a/fetchmail.changes b/fetchmail.changes
index a59720c..a24ab32 100644
--- a/fetchmail.changes
+++ b/fetchmail.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov  5 08:20:48 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security update: Fix [bsc#1251194, CVE-2025-61962] 
+  * Add fetchmail-CVE-2025-61962.patch
+
 -------------------------------------------------------------------
 Tue Jan 14 08:56:46 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 
diff --git a/fetchmail.spec b/fetchmail.spec
index f0ebe98..e664193 100644
--- a/fetchmail.spec
+++ b/fetchmail.spec
@@ -50,6 +50,8 @@ Patch11:        fetchmail-increase-max-password-length-to-handle-oauth-tokens.pa
 Patch12:        fetchmail-bump-max-passwordlen-to-1bytes.patch
 Patch13:        fetchmail-add-readme-oauth2-issue-27.patch
 Patch14:        fetchmailconf-no-more-future.patch
+# PATCH-FIX-UPSTREAM: bsc#1251194, CVE-2025-61962 - denial of service
+Patch15:	fetchmail-CVE-2025-61962.patch
 BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  fdupes
-- 
2.51.1