2021-06-04 14:09:36 +02:00
|
|
|
From: Matthew Ogilvie <mmogilvi+fml@zoho.com>
|
|
|
|
|
Date: Fri, 21 Dec 2018 09:00:46 -0700
|
|
|
|
|
Subject: add query_to64_outsize() utility function
|
|
|
|
|
Git-repo: https://gitlab.com/fetchmail/fetchmail.git
|
|
|
|
|
Git-commit: cc6e146d516140df800da68976eb7c0aa1cef7c0
|
|
|
|
|
|
|
|
|
|
---
|
2022-08-01 09:35:53 +02:00
|
|
|
base64.c | 7 +++++++
|
|
|
|
|
fetchmail.h | 1 +
|
2021-06-04 14:09:36 +02:00
|
|
|
2 files changed, 8 insertions(+)
|
|
|
|
|
|
2022-08-01 09:35:53 +02:00
|
|
|
--- a/base64.c
|
|
|
|
|
+++ b/base64.c
|
Accepting request 923570 from home:pmonrealgonzalez:branches:server:mail
- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
* OPENSSL AND LICENSING NOTE:
- fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual
OpenSSL/SSLeay license to Apache License v2.0, which is
considered incompatible with GPL v2 by the FSF. For
implications and details, see the file COPYING.
* SECURITY FIXES:
- CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
without --ssl and with nonempty --sslproto, meaning that
fetchmail is to enforce TLS, and when the server or an attacker
sends a PREAUTH greeting, fetchmail used to continue an
unencrypted connection. Now, log the error and abort the
connection. --Recommendation for servers that support
SSL/TLS-wrapped or "implicit" mode on a dedicated port
(default 993): use --ssl, or the ssl user option in an rcfile.
- On IMAP and POP3 connections, --auth ssh no longer prevents
STARTTLS negotiation.
- On IMAP connections, fetchmail does not permit overriding
a server-side LOGINDISABLED with --auth password any more.
- On POP3 connections, the possibility for RPA authentication
(by probing with an AUTH command without arguments) no longer
prevents STARTTLS negotiation.
- For POP3 connections, only attempt RPA if the authentication
type is "any".
* BUG FIXES:
- On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
have received the tagged (= final) response, do not send "*".
- On IMAP connections, AUTHENTICATE EXTERNAL without username
will properly send a "=" for protocol compliance.
OBS-URL: https://build.opensuse.org/request/show/923570
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=120
2021-10-12 11:48:34 +02:00
|
|
|
@@ -66,6 +66,13 @@ fail:
|
2021-06-04 14:09:36 +02:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+size_t query_to64_outsize(size_t inlen)
|
|
|
|
|
+/* Returns how much space needs to be allocated to receive the output from
|
|
|
|
|
+ * to64frombits(), including the '\0' terminator. */
|
|
|
|
|
+{
|
|
|
|
|
+ return ((inlen+2)/3)*4+1;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
int from64tobits(void *out_, const char *in, int maxlen)
|
|
|
|
|
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
|
|
|
|
|
/* maxlen limits output buffer size, set to zero to ignore */
|
2022-08-01 09:35:53 +02:00
|
|
|
--- a/fetchmail.h
|
|
|
|
|
+++ b/fetchmail.h
|
Accepting request 923570 from home:pmonrealgonzalez:branches:server:mail
- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
* OPENSSL AND LICENSING NOTE:
- fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual
OpenSSL/SSLeay license to Apache License v2.0, which is
considered incompatible with GPL v2 by the FSF. For
implications and details, see the file COPYING.
* SECURITY FIXES:
- CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
without --ssl and with nonempty --sslproto, meaning that
fetchmail is to enforce TLS, and when the server or an attacker
sends a PREAUTH greeting, fetchmail used to continue an
unencrypted connection. Now, log the error and abort the
connection. --Recommendation for servers that support
SSL/TLS-wrapped or "implicit" mode on a dedicated port
(default 993): use --ssl, or the ssl user option in an rcfile.
- On IMAP and POP3 connections, --auth ssh no longer prevents
STARTTLS negotiation.
- On IMAP connections, fetchmail does not permit overriding
a server-side LOGINDISABLED with --auth password any more.
- On POP3 connections, the possibility for RPA authentication
(by probing with an AUTH command without arguments) no longer
prevents STARTTLS negotiation.
- For POP3 connections, only attempt RPA if the authentication
type is "any".
* BUG FIXES:
- On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
have received the tagged (= final) response, do not send "*".
- On IMAP connections, AUTHENTICATE EXTERNAL without username
will properly send a "=" for protocol compliance.
OBS-URL: https://build.opensuse.org/request/show/923570
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=120
2021-10-12 11:48:34 +02:00
|
|
|
@@ -642,6 +642,7 @@ int prc_filecheck(const char *, const fl
|
2021-06-04 14:09:36 +02:00
|
|
|
/* base64.c */
|
Accepting request 923570 from home:pmonrealgonzalez:branches:server:mail
- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
* OPENSSL AND LICENSING NOTE:
- fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual
OpenSSL/SSLeay license to Apache License v2.0, which is
considered incompatible with GPL v2 by the FSF. For
implications and details, see the file COPYING.
* SECURITY FIXES:
- CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
without --ssl and with nonempty --sslproto, meaning that
fetchmail is to enforce TLS, and when the server or an attacker
sends a PREAUTH greeting, fetchmail used to continue an
unencrypted connection. Now, log the error and abort the
connection. --Recommendation for servers that support
SSL/TLS-wrapped or "implicit" mode on a dedicated port
(default 993): use --ssl, or the ssl user option in an rcfile.
- On IMAP and POP3 connections, --auth ssh no longer prevents
STARTTLS negotiation.
- On IMAP connections, fetchmail does not permit overriding
a server-side LOGINDISABLED with --auth password any more.
- On POP3 connections, the possibility for RPA authentication
(by probing with an AUTH command without arguments) no longer
prevents STARTTLS negotiation.
- For POP3 connections, only attempt RPA if the authentication
type is "any".
* BUG FIXES:
- On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
have received the tagged (= final) response, do not send "*".
- On IMAP connections, AUTHENTICATE EXTERNAL without username
will properly send a "=" for protocol compliance.
OBS-URL: https://build.opensuse.org/request/show/923570
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=120
2021-10-12 11:48:34 +02:00
|
|
|
unsigned len64frombits(unsigned inlen); /** calculate length needed to encode inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte himself. 2. returns 0 for inlen 0! */
|
2021-06-04 14:09:36 +02:00
|
|
|
int to64frombits(char *, const void *, int inlen, size_t outlen);
|
|
|
|
|
+size_t query_to64_outsize(size_t inlen);
|
|
|
|
|
int from64tobits(void *, const char *, int mxoutlen);
|
|
|
|
|
|
|
|
|
|
/* unmime.c */
|
