fetchmail/fetchmail-give-each-ctl-it-s-own-copy-of-password.patch

From: Matthew Ogilvie <mmogilvi+fml@zoho.com>
Date: Fri, 9 Jun 2017 19:31:17 -0600
Subject: give each ctl it's own copy of password
Git-repo: https://gitlab.com/fetchmail/fetchmail.git
Git-commit: 469b0a212e7f047ab16ef46a9158df5fb373e8c2

pwdb_* and passwordfile options may free and re-allocate password
for each poll operation.  Giving each context it's own copy of
the password should prevent accessing freed memory in another copy.

I haven't tested pwmd, but these seem like obvious fixes.
---
 fetchmail.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fetchmail.c b/fetchmail.c
index 0292d42a..e2828a4f 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -386,7 +386,7 @@ int main(int argc, char **argv)
 	    if (NO_PASSWORD(ctl))
 		/* Server won't care what the password is, but there
 		   must be some non-null string here.  */
-		ctl->password = ctl->remotename;
+		ctl->password = xstrdup(ctl->remotename);
 	    else if (!ctl->passwordfile && ctl->passwordfd==-1)
 	    {
 		netrc_entry *p;
@@ -1072,7 +1072,15 @@ static void optmerge(struct query *h2, struct query *h1, int force)
 
     FLAG_MERGE(wildcard);
     STRING_MERGE(remotename);
-    STRING_MERGE(password);
+    if (force ? !!h1->password : !h2->password) {
+	if (h2->password) {
+		memset(h2->password, 0x55, strlen(h2->password));
+		xfree(h2->password);
+	}
+	if (h1->password) {
+	    h2->password = xstrdup(h1->password);
+	}
+    }
     FLAG_MERGE(passwordfile);
     if (force ? h1->passwordfd!=-1 : h2->passwordfd==-1) {
 	h2->passwordfd = h1->passwordfd;
-- 
2.31.1
Accepting request 892934 from home:jeff_mahoney:branches:server:mail - Backported support for OAUTH2 authentication from Fetchmail 7.0. - add imap oauthbearer support - support oauthbearer/xoauth2 with pop3 - add passwordfile and passwordfd options - add contrib/fetchnmail-oauth2.py token acquisition utility - FAQ: list gmail options including oauthbearer and app password - give each ctl it's own copy of password - re-read passwordfile on every poll - add query_to64_outsize() utility function - Chase and integrate interface change. - oauth2.c: calculate and pass in correct buffer size to to64frombits() - Increase max password length to handle oauth tokens - Bump max. passwordlen to 10000 bytes. - Add README.OAUTH2 - Added patches: * fetchmail-add-imap-oauthbearer-support.patch * fetchmail-support-oauthbearer-xoauth2-with-pop3.patch * fetchmail-add-passwordfile-and-passwordfd-options.patch * fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch * fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch * fetchmail-give-each-ctl-it-s-own-copy-of-password.patch * fetchmail-re-read-passwordfile-on-every-poll.patch * fetchmail-add-query_to64_outsize-utility-function.patch * fetchmail-chase-and-integrate-interface-change.patch * fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch * fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch * fetchmail-bump-max-passwordlen-to-1bytes.patch * fetchmail-add-readme-oauth2-issue-27.patch OBS-URL: https://build.opensuse.org/request/show/892934 OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=113 2021-06-04 14:09:36 +02:00			`From: Matthew Ogilvie <mmogilvi+fml@zoho.com>`
			`Date: Fri, 9 Jun 2017 19:31:17 -0600`
			`Subject: give each ctl it's own copy of password`
			`Git-repo: https://gitlab.com/fetchmail/fetchmail.git`
			`Git-commit: 469b0a212e7f047ab16ef46a9158df5fb373e8c2`

			`pwdb_* and passwordfile options may free and re-allocate password`
			`for each poll operation. Giving each context it's own copy of`
			`the password should prevent accessing freed memory in another copy.`

			`I haven't tested pwmd, but these seem like obvious fixes.`
			`---`
			`fetchmail.c \| 12 ++++++++++--`
			`1 file changed, 10 insertions(+), 2 deletions(-)`

			`diff --git a/fetchmail.c b/fetchmail.c`
			`index 0292d42a..e2828a4f 100644`
			`--- a/fetchmail.c`
			`+++ b/fetchmail.c`
			`@@ -386,7 +386,7 @@ int main(int argc, char **argv)`
			`if (NO_PASSWORD(ctl))`
			`/* Server won't care what the password is, but there`
			`must be some non-null string here. */`
			`- ctl->password = ctl->remotename;`
			`+ ctl->password = xstrdup(ctl->remotename);`
			`else if (!ctl->passwordfile && ctl->passwordfd==-1)`
			`{`
			`netrc_entry *p;`
			`@@ -1072,7 +1072,15 @@ static void optmerge(struct query h2, struct query h1, int force)`

			`FLAG_MERGE(wildcard);`
			`STRING_MERGE(remotename);`
			`- STRING_MERGE(password);`
			`+ if (force ? !!h1->password : !h2->password) {`
			`+ if (h2->password) {`
			`+ memset(h2->password, 0x55, strlen(h2->password));`
			`+ xfree(h2->password);`
			`+ }`
			`+ if (h1->password) {`
			`+ h2->password = xstrdup(h1->password);`
			`+ }`
			`+ }`
			`FLAG_MERGE(passwordfile);`
			`if (force ? h1->passwordfd!=-1 : h2->passwordfd==-1) {`
			`h2->passwordfd = h1->passwordfd;`
			`--`
			`2.31.1`