Accepting request 923570 from home:pmonrealgonzalez:branches:server:mail

- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
  * OPENSSL AND LICENSING NOTE:
    - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
      OpenSSL's licensing changed between these releases from dual
      OpenSSL/SSLeay license to Apache License v2.0, which is
      considered incompatible with GPL v2 by the FSF. For
      implications and details, see the file COPYING.
  * SECURITY FIXES:
    - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
      without --ssl and with nonempty --sslproto, meaning that
      fetchmail is to enforce TLS, and when the server or an attacker
      sends a PREAUTH greeting, fetchmail used to continue an
      unencrypted connection. Now, log the error and abort the
      connection. --Recommendation for servers that support
      SSL/TLS-wrapped or "implicit" mode on a dedicated port
      (default 993): use --ssl, or the ssl user option in an rcfile.
    - On IMAP and POP3 connections, --auth ssh no longer prevents
      STARTTLS negotiation.
    - On IMAP connections, fetchmail does not permit overriding
      a server-side LOGINDISABLED with --auth password any more.
    - On POP3 connections, the possibility for RPA authentication
      (by probing with an AUTH command without arguments) no longer
      prevents STARTTLS negotiation.
    - For POP3 connections, only attempt RPA if the authentication
      type is "any".
  * BUG FIXES:
    - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
      have received the tagged (= final) response, do not send "*".
    - On IMAP connections, AUTHENTICATE EXTERNAL without username
      will properly send a "=" for protocol compliance.

OBS-URL: https://build.opensuse.org/request/show/923570
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=120

fetchmail-6.4.21.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d
-size 1318996

fetchmail-6.4.21.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERU34ACgkQ5BKxVu/z
-hVr5axAAhaFZJ+WyIy6uEdi5a7vTm73DYSKJFd8knNI/1Luipb0XDCq92JOiWu9v
-qdKOAvxRFbc2bWFXnaN4cHoHa/gnTU3O3xkVqexGZ0K8dysEwgMrKIqnEx36g2/5
-bvTyJOBoxYT5zamepzBDKoOpbtNJb7yOfzayMaKKoVdgnTw+jWGXxwnQyx1pcewM
-hGjY9SjgI4LSS8e28o/aeklGi0K8izZPWeSdq6NtWoN2SGF0wNevCCJTAU0fgzfG
-L2KsCmGKizzFNrYNEF/OrTtjVkPU4fNRliXbisd87Vakz1ELRcPuWv/DgH2PBqdF
-klIz5kHLKU04CmRS7ZLqKzatm5wZ5rNea8itLsx1azYik2rw9JRNZEgseA5xYwJb
-1KglR6zhVaw3HnUtd42xFwHM4gArQuNOKsR3Ar51pDbtHJEmfM02GgKuUMoPL8iy
-XEVyRKrm/ogCvqOLTJSIkuOBWiQ6S0TTgx0GeJWsWv4um0dBIHspjGqIyKb/skll
-N96hcXsHLEOSHXF8+Be0psLJg7vMjpP5+LAzdArWwjO+lHaMz1MPiEmHvGgOR6EM
-1WAoFwi7A2+uUeNKonlZ7R2w16hx2DPl08BjJ95a/cVMX3SF/Qe17ixaZIxglmSF
-ejhIZzdwjRoFvidQYuDcEedHdlIaqok8JJK5VGEKHQBXa+83tjg=
-=SQ77
------END PGP SIGNATURE-----

fetchmail-6.4.22.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84
+size 1330176

fetchmail-6.4.22.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmE/vEgACgkQ5BKxVu/z
+hVqlTA//bMqmPdUfYjm6VYSy3n2v+arXSp1t3G3rKuWGUXsxu6w8YmTNgd7y+3b8
+k5owzg60FOHYaG2icX+2DYfZlprWdsz8sI1fZRUH5xxe4ozAPg0iPbvSLiXqBNI8
+uxewWTOt1pCSYQptaWF32wqZvcHtnHU0nEEEy0u3n1UG9vEbDoh7Ej9Z0TpvwnhA
+54tU8vDV/sQdS+XN/DuWYfXp6cqrNg6P/eGUb877i+E2YoFsoqHrZV0A27IMTxOn
+qTi0upysu0QyMRQo1Xd6zwjs7MyPudZ9pMoeXGu+wnFW6g8dDsnTx/SBh27sgssh
+SwTnKYANztgDCGH2ySrLgX0QxseI8Y7JPNbfQDS3pkpPx5TQuO+aDQcQhXhzG94o
+oez7/aUmSvAIbPKiF8Y1SQMoRms5iSNVJL8LyQNLOSDZziKT+fGzDVJhnNh3Jcn9
+Pbj5oMYkcd8YKcjZYRXlwK4rbdcvA/79b3TuFMmcZ7eiTJHiy7i/C7R9qrYyxXao
+c6ZmRjNuAYpL0TnFhIy/yUe/+mhse87a4I2XTk1CE1Z1RpNI4xPDHO+7EtSyTZDV
+1rBs9tA2B7t/WcXVQxZDF4MqJ02TWZRwCgxRJGCMG7d28xvZaxpuZrZ9jlosQHt4
+jEgoWvcboCCK0WOZlnpgtKwvd8SRoPoDxLJmnKc35r1dqsP4Aso=
+=Qd4Q
+-----END PGP SIGNATURE-----

fetchmail-add-imap-oauthbearer-support.patch

@@ -17,8 +17,10 @@ When configured, it will also fall back on trying xoauth2.
  rcfile_l.l       |    1 
  8 files changed, 136 insertions(+), 3 deletions(-)
 
---- a/conf.c
-+++ b/conf.c
+Index: fetchmail-6.4.22/conf.c
+===================================================================
+--- fetchmail-6.4.22.orig/conf.c
++++ fetchmail-6.4.22/conf.c
 @@ -288,6 +288,8 @@ void dump_config(struct runctl *runp, st
  		stringdump("auth", "otp");
  	    else if (ctl->server.authenticate == A_MSN)
@@ -28,9 +30,11 @@ When configured, it will also fall back on trying xoauth2.
  
  #ifdef HAVE_RES_SEARCH
  	    booldump("dns", ctl->server.dns);
---- a/fetchmail.c
-+++ b/fetchmail.c
-@@ -1766,6 +1766,9 @@ static void dump_params (struct runctl *
+Index: fetchmail-6.4.22/fetchmail.c
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.c
++++ fetchmail-6.4.22/fetchmail.c
+@@ -1776,6 +1776,9 @@ static void dump_params (struct runctl *
  	case A_SSH:
  	    printf(GT_("  End-to-end encryption assumed.\n"));
  	    break;
@@ -40,8 +44,10 @@ When configured, it will also fall back on trying xoauth2.
  	}
  	if (ctl->server.principal != (char *) NULL)
  	    printf(GT_("  Mail service principal is: %s\n"), ctl->server.principal);
---- a/fetchmail.h
-+++ b/fetchmail.h
+Index: fetchmail-6.4.22/fetchmail.h
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.h
++++ fetchmail-6.4.22/fetchmail.h
 @@ -79,6 +79,7 @@ struct addrinfo;
  #define		A_SSH		8	/* authentication at session level */
  #define		A_MSN		9	/* same as NTLM with keyword MSN */
@@ -58,9 +64,11 @@ When configured, it will also fall back on trying xoauth2.
  #define		PASSWORDLEN	256	/* max password length */
  #define		DIGESTLEN	33	/* length of MD5 digest */
  
---- a/fetchmail.man
-+++ b/fetchmail.man
-@@ -1001,7 +1001,7 @@ AUTHENTICATION below for details).  The
+Index: fetchmail-6.4.22/fetchmail.man
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.man
++++ fetchmail-6.4.22/fetchmail.man
+@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details).  The
  \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
  excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
  \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@@ -69,7 +77,7 @@ When configured, it will also fall back on trying xoauth2.
  When \fBany\fP (the default) is specified, fetchmail tries
  first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
  KERBEROS\ 5); then it looks for methods that mask your password
-@@ -1021,6 +1021,23 @@ GSSAPI or K4.  Choosing KPOP protocol au
+@@ -1027,6 +1027,23 @@ GSSAPI or K4.  Choosing KPOP protocol au
  authentication.  This option does not work with ETRN.  GSSAPI service names are
  in line with RFC-2743 and IANA registrations, see
  .URL https://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" .
@@ -93,7 +101,7 @@ When configured, it will also fall back on trying xoauth2.
  .SS Miscellaneous Options
  .TP
  .B \-f <pathname> | \-\-fetchmailrc <pathname>
-@@ -2327,7 +2344,9 @@ Legal protocol identifiers for use with
+@@ -2333,7 +2350,9 @@ Legal protocol identifiers for use with
  .PP
  Legal authentication types are 'any', 'password', 'kerberos',
  \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
@@ -104,9 +112,11 @@ When configured, it will also fall back on trying xoauth2.
  The 'password' type specifies
  authentication by normal transmission of a password (the password may be
  plain text or subject to protocol-specific encryption as in CRAM-MD5);
---- a/fetchmailconf.py
-+++ b/fetchmailconf.py
-@@ -487,7 +487,7 @@ defaultports = {"auto":None,
+Index: fetchmail-6.4.22/fetchmailconf.py
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmailconf.py
++++ fetchmail-6.4.22/fetchmailconf.py
+@@ -500,7 +500,7 @@ defaultports = {"auto":None,
                  "ODMR":"odmr"}
  
  authlist = ("any", "password", "gssapi", "kerberos", "ssh", "otp",
@@ -115,8 +125,10 @@ When configured, it will also fall back on trying xoauth2.
  
  listboxhelp = {
      'title' : 'List Selection Help',
---- a/imap.c
-+++ b/imap.c
+Index: fetchmail-6.4.22/imap.c
+===================================================================
+--- fetchmail-6.4.22.orig/imap.c
++++ fetchmail-6.4.22/imap.c
 @@ -26,6 +26,10 @@
  #define IMAP4		0	/* IMAP4 rev 0, RFC1730 */
  #define IMAP4rev1	1	/* IMAP4 rev 1, RFC2060 */
@@ -128,16 +140,16 @@ When configured, it will also fall back on trying xoauth2.
  /* global variables: please reinitialize them explicitly for proper
   * working in daemon mode */
  
-@@ -38,6 +42,8 @@ static int imap_version = IMAP4;
- static flag do_idle = FALSE, has_idle = FALSE;
- static int expunge_period = 1;
+@@ -51,6 +55,8 @@ static void clear_sessiondata(void) {
+  * a const initializer */
+ const char *const capa_begin = " [CAPABILITY "; const unsigned capa_len = 13;
  
 +static int plus_cont_context = IPLUS_NONE;
 +
  /* mailbox variables initialized in imap_getrange() */
  static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions = 0;
  static unsigned int startcount = 1;
-@@ -202,6 +208,21 @@ static int imap_response(int sock, char
+@@ -266,6 +272,21 @@ static int imap_response(int sock, char
  	if (ok != PS_SUCCESS)
  	    return(ok);
  
@@ -159,7 +171,7 @@ When configured, it will also fall back on trying xoauth2.
  	/* all tokens in responses are caseblind */
  	for (cp = buf; *cp; cp++)
  	    if (islower((unsigned char)*cp))
-@@ -316,6 +337,69 @@ static int do_imap_ntlm(int sock, struct
+@@ -396,6 +417,69 @@ static int do_imap_ntlm(int sock, struct
  }
  #endif /* NTLM */
  
@@ -229,9 +241,9 @@ When configured, it will also fall back on trying xoauth2.
  static void imap_canonicalize(char *result, char *raw, size_t maxlen)
  /* encode an IMAP password as per RFC1730's quoting conventions */
  {
-@@ -510,6 +594,26 @@ static int imap_getauth(int sock, struct
-      */
-     ok = PS_AUTHFAIL;
+@@ -577,6 +661,26 @@ static int imap_getauth(int sock, struct
+ 			 for future maintenance */
+     (void)ok;
  
 +    if (ctl->server.authenticate == A_OAUTHBEARER)
 +    {
@@ -256,8 +268,10 @@ When configured, it will also fall back on trying xoauth2.
      /* Yahoo hack - we'll just try ID if it was offered by the server,
       * and IGNORE errors. */
      {
---- a/options.c
-+++ b/options.c
+Index: fetchmail-6.4.22/options.c
+===================================================================
+--- fetchmail-6.4.22.orig/options.c
++++ fetchmail-6.4.22/options.c
 @@ -421,6 +421,8 @@ int parsecmdline (int argc /** argument
  		ctl->server.authenticate = A_ANY;
  	    else if (strcmp(optarg, "msn") == 0)
@@ -267,8 +281,10 @@ When configured, it will also fall back on trying xoauth2.
  	    else {
  		fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg);
  		errflag++;
---- a/rcfile_l.l
-+++ b/rcfile_l.l
+Index: fetchmail-6.4.22/rcfile_l.l
+===================================================================
+--- fetchmail-6.4.22.orig/rcfile_l.l
++++ fetchmail-6.4.22/rcfile_l.l
 @@ -106,6 +106,7 @@ cram(-md5)?	{ SETSTATE(0); yylval.proto
  msn		{ SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;}
  ntlm		{ SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;}

fetchmail-add-query_to64_outsize-utility-function.patch

@@ -9,11 +9,11 @@ Git-commit: cc6e146d516140df800da68976eb7c0aa1cef7c0
  fetchmail.h | 1 +
  2 files changed, 8 insertions(+)
 
-diff --git a/base64.c b/base64.c
-index 3cd41691..25393b35 100644
---- a/base64.c
-+++ b/base64.c
-@@ -61,6 +61,13 @@ fail:
+Index: fetchmail-6.4.22/base64.c
+===================================================================
+--- fetchmail-6.4.22.orig/base64.c
++++ fetchmail-6.4.22/base64.c
+@@ -66,6 +66,13 @@ fail:
      return rc;
  }
  
@@ -27,16 +27,15 @@ index 3cd41691..25393b35 100644
  int from64tobits(void *out_, const char *in, int maxlen)
  /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
  /* maxlen limits output buffer size, set to zero to ignore */
-diff --git a/fetchmail.h b/fetchmail.h
-index 8b9dd6c4..2d378942 100644
---- a/fetchmail.h
-+++ b/fetchmail.h
-@@ -638,6 +638,7 @@ int prc_filecheck(const char *, const flag);
- 
+Index: fetchmail-6.4.22/fetchmail.h
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.h
++++ fetchmail-6.4.22/fetchmail.h
+@@ -642,6 +642,7 @@ int prc_filecheck(const char *, const fl
  /* base64.c */
+ unsigned len64frombits(unsigned inlen); /** calculate length needed to encode inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte himself. 2. returns 0 for inlen 0! */
  int to64frombits(char *, const void *, int inlen, size_t outlen);
 +size_t query_to64_outsize(size_t inlen);
  int from64tobits(void *, const char *, int mxoutlen);
  
  /* unmime.c */
-

fetchmail-support-oauthbearer-xoauth2-with-pop3.patch

@@ -16,11 +16,11 @@ Git-commit: 7b5c56f0fa3acb4c5589a4747c1921a311d8a464
  create mode 100644 oauth2.c
  create mode 100644 oauth2.h
 
-diff --git a/Makefile.am b/Makefile.am
-index 1e800085..d747f895 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -54,7 +54,7 @@ fetchmail_SOURCES=	fetchmail.h getopt.h \
+Index: fetchmail-6.4.22/Makefile.am
+===================================================================
+--- fetchmail-6.4.22.orig/Makefile.am
++++ fetchmail-6.4.22/Makefile.am
+@@ -68,7 +68,7 @@ fetchmail_SOURCES=	fetchmail.h getopt.h
  		fetchmail.c env.c idle.c options.c daemon.c \
  		driver.c transact.c sink.c smtp.c \
  		idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \
@@ -29,11 +29,11 @@ index 1e800085..d747f895 100644
  		unmime.c conf.c checkalias.c uid_db.h uid_db.c\
  		lock.h lock.c \
  		rcfile_l.l rcfile_y.y \
-diff --git a/fetchmail.man b/fetchmail.man
-index d128ece1..aece716e 100644
---- a/fetchmail.man
-+++ b/fetchmail.man
-@@ -928,7 +928,7 @@ This option permits you to specify an authentication type (see USER
+Index: fetchmail-6.4.22/fetchmail.man
+===================================================================
+--- fetchmail-6.4.22.orig/fetchmail.man
++++ fetchmail-6.4.22/fetchmail.man
+@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details).  The
  \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for
  excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP,
  \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3),
@@ -42,7 +42,7 @@ index d128ece1..aece716e 100644
  When \fBany\fP (the default) is specified, fetchmail tries
  first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV,
  KERBEROS\ 5); then it looks for methods that mask your password
-@@ -2222,8 +2222,7 @@ Legal protocol identifiers for use with the 'protocol' keyword are:
+@@ -2351,8 +2351,7 @@ Legal protocol identifiers for use with
  Legal authentication types are 'any', 'password', 'kerberos',
  \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
  (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP),
@@ -52,11 +52,11 @@ index d128ece1..aece716e 100644
  The 'password' type specifies
  authentication by normal transmission of a password (the password may be
  plain text or subject to protocol-specific encryption as in CRAM-MD5);
-diff --git a/imap.c b/imap.c
-index 0ab10d31..e38706f5 100644
---- a/imap.c
-+++ b/imap.c
-@@ -14,6 +14,7 @@
+Index: fetchmail-6.4.22/imap.c
+===================================================================
+--- fetchmail-6.4.22.orig/imap.c
++++ fetchmail-6.4.22/imap.c
+@@ -17,6 +17,7 @@
  #include  <limits.h>
  #include  <errno.h>
  #endif
@@ -64,7 +64,7 @@ index 0ab10d31..e38706f5 100644
  #include  "socket.h"
  
  #include  "i18n.h"
-@@ -329,63 +330,23 @@ static int do_imap_ntlm(int sock, struct query *ctl)
+@@ -419,63 +420,23 @@ static int do_imap_ntlm(int sock, struct
  
  static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2)
  {
@@ -134,11 +134,10 @@ index 0ab10d31..e38706f5 100644
  
      return ok;
  }
-diff --git a/oauth2.c b/oauth2.c
-new file mode 100644
-index 00000000..a8a324b8
+Index: fetchmail-6.4.22/oauth2.c
+===================================================================
 --- /dev/null
-+++ b/oauth2.c
++++ fetchmail-6.4.22/oauth2.c
 @@ -0,0 +1,61 @@
 +/*
 + * oauth2.c -- oauthbearer and xoauth2 support
@@ -201,11 +200,10 @@ index 00000000..a8a324b8
 +
 +    return oauth2b64;
 +}
-diff --git a/oauth2.h b/oauth2.h
-new file mode 100644
-index 00000000..67ebfd6e
+Index: fetchmail-6.4.22/oauth2.h
+===================================================================
 --- /dev/null
-+++ b/oauth2.h
++++ fetchmail-6.4.22/oauth2.h
 @@ -0,0 +1,6 @@
 +#ifndef OAUTH2_H
 +#define OAUTH2_H
@@ -213,11 +211,11 @@ index 00000000..67ebfd6e
 +char *get_oauth2_string(struct query *ctl,flag xoauth2);
 +
 +#endif /*OAUTH2_H*/
-diff --git a/pop3.c b/pop3.c
-index 076d890e..06fc0a0d 100644
---- a/pop3.c
-+++ b/pop3.c
-@@ -15,6 +15,7 @@
+Index: fetchmail-6.4.22/pop3.c
+===================================================================
+--- fetchmail-6.4.22.orig/pop3.c
++++ fetchmail-6.4.22/pop3.c
+@@ -20,6 +20,7 @@
  #include  <errno.h>
  
  #include  "fetchmail.h"
@@ -225,18 +223,18 @@ index 076d890e..06fc0a0d 100644
  #include  "socket.h"
  #include  "i18n.h"
  #include  "uid_db.h"
-@@ -55,6 +56,10 @@ flag has_ntlm = FALSE;
- #ifdef SSL_ENABLE
+@@ -52,6 +53,10 @@ static flag has_cram = FALSE;
+ static flag has_otp = FALSE;
+ static flag has_ntlm = FALSE;
  static flag has_stls = FALSE;
- #endif /* SSL_ENABLE */
 +static flag has_oauthbearer = FALSE;
 +static flag has_xoauth2 = FALSE;
 +
 +static const char *next_sasl_resp = NULL;
  
- /* mailbox variables initialized in pop3_getrange() */
- static int last;
-@@ -110,12 +115,65 @@ static int pop3_ok (int sock, char *argbuf)
+ static void clear_sessiondata(void) {
+     /* must match defaults above */
+@@ -135,12 +140,65 @@ static int pop3_ok (int sock, char *argb
      char buf [POPBUFSIZE+1];
      char *bufp;
  
@@ -244,67 +242,69 @@ index 076d890e..06fc0a0d 100644
 +    while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
      {	bufp = buf;
 -	if (*bufp == '+' || *bufp == '-')
+-	    bufp++;
+-	else
 +	if (*bufp == '+')
 +	{
- 	    bufp++;
-+	    if (*bufp == ' ' && next_sasl_resp != NULL)
-+	    {
-+		/* Currently only used for OAUTHBEARER/XOAUTH2, and only
-+		 * rarely even then.
-+		 *
-+		 * This is the only case where the top while() actually
-+		 * loops.
-+		 *
-+		 * For OAUTHBEARER, data aftetr '+ ' is probably
-+		 * base64-encoded JSON with some HTTP-related error details.
-+		 */
-+		if (*next_sasl_resp != '\0')
-+		    SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp));
-+		SockWrite(sock, "\r\n", 2);
-+		if (outlevel >= O_MONITOR)
-+		{
-+		    const char *found;
-+		    if (shroud[0] && (found = strstr(next_sasl_resp, shroud)))
-+		    {
-+			/* enshroud() without copies, and avoid
-+			 * confusing with a genuine "*" (cancel).
-+			 */
-+			report(stdout, "POP3> %.*s[SHROUDED]%s\n",
-+			       (int)(found-next_sasl_resp), next_sasl_resp,
-+			       found+strlen(shroud));
-+		    }
-+		    else
-+		    {
-+			report(stdout, "POP3> %s\n", next_sasl_resp);
-+		    }
-+		}
++	   bufp++;
++       if (*bufp == ' ' && next_sasl_resp != NULL)
++       {
++       /* Currently only used for OAUTHBEARER/XOAUTH2, and only
++        * rarely even then.
++        *
++        * This is the only case where the top while() actually
++        * loops.
++        *
++        * For OAUTHBEARER, data aftetr '+ ' is probably
++        * base64-encoded JSON with some HTTP-related error details.
++        */
++       if (*next_sasl_resp != '\0')
++           SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp));
++       SockWrite(sock, "\r\n", 2);
++       if (outlevel >= O_MONITOR)
++       {
++           const char *found;
++           if (shroud[0] && (found = strstr(next_sasl_resp, shroud)))
++           {
++           /* enshroud() without copies, and avoid
++            * confusing with a genuine "*" (cancel).
++            */
++           report(stdout, "POP3> %.*s[SHROUDED]%s\n",
++                  (int)(found-next_sasl_resp), next_sasl_resp,
++                  found+strlen(shroud));
++           }
++           else
++           {
++           report(stdout, "POP3> %s\n", next_sasl_resp);
++           }
++       }
 +
-+		if (*next_sasl_resp == '\0' || *next_sasl_resp == '*')
-+		{
-+		    /* No more responses expected, cancel AUTH command if
-+		     * more responses requested.
-+		     */
-+		    next_sasl_resp = "*";
-+		}
-+		else
-+		{
-+		    next_sasl_resp = "";
-+		}
-+		continue;
-+	    }
-+	}
-+	else if (*bufp == '-')
-+	{
-+	    bufp++;
-+	}
- 	else
-+	{
++       if (*next_sasl_resp == '\0' || *next_sasl_resp == '*')
++       {
++           /* No more responses expected, cancel AUTH command if
++            * more responses requested.
++            */
++           next_sasl_resp = "*";
++       }
++       else
++       {
++           next_sasl_resp = "";
++       }
++       continue;
++       }
++   }
++   else if (*bufp == '-')
++   {
++       bufp++;
++   }
++   else
++   {
  	    return(PS_PROTOCOL);
-+	}
++   }
  
  	while (isalpha((unsigned char)*bufp))
  	    bufp++;
-@@ -184,6 +242,8 @@ static int pop3_ok (int sock, char *argbuf)
+@@ -209,6 +267,8 @@ static int pop3_ok (int sock, char *argb
  #endif
  	if (argbuf != NULL)
  	    strcpy(argbuf,bufp);
@@ -313,22 +313,33 @@ index 076d890e..06fc0a0d 100644
      }
  
      return(ok);
-@@ -212,11 +272,13 @@ static int capa_probe(int sock)
+@@ -237,11 +297,13 @@ static int capa_probe(int sock)
  #ifdef NTLM_ENABLE
      has_ntlm = FALSE;
  #endif /* NTLM_ENABLE */
-+    has_oauthbearer = FALSE;
-+    has_xoauth2 = FALSE;
++	has_oauthbearer = FALSE;
++	has_xoauth2 = FALSE;
  
      ok = gen_transact(sock, "CAPA");
      if (ok == PS_SUCCESS)
      {
 -	char buffer[64];
 +	char buffer[128];
+ 	char *cp;
  
  	/* determine what authentication methods we have available */
- 	while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0)
-@@ -246,6 +308,12 @@ static int capa_probe(int sock)
+@@ -256,6 +318,10 @@ static int capa_probe(int sock)
+ 	    if (strstr(buffer, "STLS"))
+ 		has_stls = TRUE;
+ #endif /* SSL_ENABLE */
++static flag has_oauthbearer = FALSE;
++static flag has_xoauth2 = FALSE;
++
++static const char *next_sasl_resp = NULL;
+ 
+ #if defined(GSSAPI)
+ 	    if (strstr(buffer, "GSSAPI"))
+@@ -279,6 +345,12 @@ static int capa_probe(int sock)
  
  	    if (strstr(buffer, "CRAM-MD5"))
  		has_cram = TRUE;
@@ -341,7 +352,7 @@ index 076d890e..06fc0a0d 100644
  	}
      }
      done_capa = TRUE;
-@@ -312,6 +380,40 @@ static int do_apop(int sock, struct query *ctl, char *greeting)
+@@ -295,6 +367,40 @@ static void set_peek_capable(struct quer
      peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl);
  }
  
@@ -382,7 +393,7 @@ index 076d890e..06fc0a0d 100644
  static int pop3_getauth(int sock, struct query *ctl, char *greeting)
  /* apply for connection authorization */
  {
-@@ -436,6 +538,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+@@ -374,6 +480,7 @@ static int pop3_getauth(int sock, struct
  		(ctl->server.authenticate == A_KERBEROS_V5) ||
  		(ctl->server.authenticate == A_OTP) ||
  		(ctl->server.authenticate == A_CRAM_MD5) ||
@@ -390,7 +401,7 @@ index 076d890e..06fc0a0d 100644
  		maybe_starttls(ctl))
  	{
  	    if ((ok = capa_probe(sock)) != PS_SUCCESS)
-@@ -540,6 +643,19 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+@@ -523,6 +630,19 @@ static int pop3_getauth(int sock, struct
  	/*
  	 * OK, we have an authentication type now.
  	 */
@@ -410,6 +421,3 @@ index 076d890e..06fc0a0d 100644
  #if defined(KERBEROS_V4)
  	/* 
  	 * Servers doing KPOP have to go through a dummy login sequence
--- 
-2.31.1
-

fetchmail.changes

@@ -1,3 +1,72 @@
+-------------------------------------------------------------------
+Wed Oct  6 15:00:19 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
+  * OPENSSL AND LICENSING NOTE:
+    - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
+      OpenSSL's licensing changed between these releases from dual
+      OpenSSL/SSLeay license to Apache License v2.0, which is
+      considered incompatible with GPL v2 by the FSF. For
+      implications and details, see the file COPYING.
+  * SECURITY FIXES:
+    - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
+      without --ssl and with nonempty --sslproto, meaning that
+      fetchmail is to enforce TLS, and when the server or an attacker
+      sends a PREAUTH greeting, fetchmail used to continue an
+      unencrypted connection. Now, log the error and abort the
+      connection. --Recommendation for servers that support
+      SSL/TLS-wrapped or "implicit" mode on a dedicated port
+      (default 993): use --ssl, or the ssl user option in an rcfile.
+    - On IMAP and POP3 connections, --auth ssh no longer prevents
+      STARTTLS negotiation.
+    - On IMAP connections, fetchmail does not permit overriding
+      a server-side LOGINDISABLED with --auth password any more.
+    - On POP3 connections, the possibility for RPA authentication
+      (by probing with an AUTH command without arguments) no longer
+      prevents STARTTLS negotiation.
+    - For POP3 connections, only attempt RPA if the authentication
+      type is "any".
+  * BUG FIXES:
+    - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
+      have received the tagged (= final) response, do not send "*".
+    - On IMAP connections, AUTHENTICATE EXTERNAL without username
+      will properly send a "=" for protocol compliance.
+    - On IMAP connections, AUTHENTICATE EXTERNAL will now check if
+      the server advertised SASL-IR (RFC-4959) support and otherwise
+      refuse (fetchmail <= 6.4 has not supported and does not support
+      the separate challenge/response with command continuation)
+    - On IMAP connections, when --auth external is requested but not
+      advertised by the server, log a proper error message.
+    - Fetchmail no longer crashes when attempting a connection with
+      --plugin "" or --plugout "".
+    - Fetchmail no longer leaks memory when processing the arguments
+      of --plugin or --plugout on connections.
+    - On POP3 connections, the CAPAbilities parser is now caseblind.
+    - Fix segfault on configurations with "defaults ... no envelope".
+      This is a regression in fetchmail 6.4.3 and happened when
+      plugging memory leaks, which did not account for that the
+      envelope parameter is special when set as "no envelope". The
+      segfault happens in a constant strlen(-1), triggered by trusted
+      local input => no vulnerability.
+    - Fix program abort (SIGABRT) with "internal error" when invalid
+      sslproto is given with OpenSSL 1.1.0 API compatible SSL
+      implementations.
+  * CHANGES:
+    - IMAP: When fetchmail is in not-authenticated state and the server
+      volunteers CAPABILITY information, use it and do not re-probe.
+      (After STARTTLS, fetchmail must and will re-probe explicitly.)
+    - For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl
+      option do not match, emit a warning and continue.
+    - fetchmail.man and README.SSL were updated in line with
+      RFC-8314/8996/8997 recommendations to prefer Implicit TLS
+      (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+
+      more prominently. The defaults shall not change between 6.4.X
+      releases for compatibility.
+  * Rebase patches:
+    fetchmail-add-imap-oauthbearer-support.patch
+    fetchmail-add-query_to64_outsize-utility-function.patch
+    fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
+
 -------------------------------------------------------------------
 Tue Sep 14 08:55:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 

fetchmail.spec

@@ -21,7 +21,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           fetchmail
-Version:        6.4.21
+Version:        6.4.22
 Release:        0
 Summary:        Full-Featured POP and IMAP Mail Retrieval Daemon
 License:        GPL-2.0-or-later