diff --git a/fetchmail-6.4.21.tar.xz b/fetchmail-6.4.21.tar.xz deleted file mode 100644 index 3c2de55..0000000 --- a/fetchmail-6.4.21.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d -size 1318996 diff --git a/fetchmail-6.4.21.tar.xz.asc b/fetchmail-6.4.21.tar.xz.asc deleted file mode 100644 index 419b32d..0000000 --- a/fetchmail-6.4.21.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERU34ACgkQ5BKxVu/z -hVr5axAAhaFZJ+WyIy6uEdi5a7vTm73DYSKJFd8knNI/1Luipb0XDCq92JOiWu9v -qdKOAvxRFbc2bWFXnaN4cHoHa/gnTU3O3xkVqexGZ0K8dysEwgMrKIqnEx36g2/5 -bvTyJOBoxYT5zamepzBDKoOpbtNJb7yOfzayMaKKoVdgnTw+jWGXxwnQyx1pcewM -hGjY9SjgI4LSS8e28o/aeklGi0K8izZPWeSdq6NtWoN2SGF0wNevCCJTAU0fgzfG -L2KsCmGKizzFNrYNEF/OrTtjVkPU4fNRliXbisd87Vakz1ELRcPuWv/DgH2PBqdF -klIz5kHLKU04CmRS7ZLqKzatm5wZ5rNea8itLsx1azYik2rw9JRNZEgseA5xYwJb -1KglR6zhVaw3HnUtd42xFwHM4gArQuNOKsR3Ar51pDbtHJEmfM02GgKuUMoPL8iy -XEVyRKrm/ogCvqOLTJSIkuOBWiQ6S0TTgx0GeJWsWv4um0dBIHspjGqIyKb/skll -N96hcXsHLEOSHXF8+Be0psLJg7vMjpP5+LAzdArWwjO+lHaMz1MPiEmHvGgOR6EM -1WAoFwi7A2+uUeNKonlZ7R2w16hx2DPl08BjJ95a/cVMX3SF/Qe17ixaZIxglmSF -ejhIZzdwjRoFvidQYuDcEedHdlIaqok8JJK5VGEKHQBXa+83tjg= -=SQ77 ------END PGP SIGNATURE----- diff --git a/fetchmail-6.4.22.tar.xz b/fetchmail-6.4.22.tar.xz new file mode 100644 index 0000000..3cde016 --- /dev/null +++ b/fetchmail-6.4.22.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84 +size 1330176 diff --git a/fetchmail-6.4.22.tar.xz.asc b/fetchmail-6.4.22.tar.xz.asc new file mode 100644 index 0000000..e5ae9aa --- /dev/null +++ b/fetchmail-6.4.22.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmE/vEgACgkQ5BKxVu/z +hVqlTA//bMqmPdUfYjm6VYSy3n2v+arXSp1t3G3rKuWGUXsxu6w8YmTNgd7y+3b8 +k5owzg60FOHYaG2icX+2DYfZlprWdsz8sI1fZRUH5xxe4ozAPg0iPbvSLiXqBNI8 +uxewWTOt1pCSYQptaWF32wqZvcHtnHU0nEEEy0u3n1UG9vEbDoh7Ej9Z0TpvwnhA +54tU8vDV/sQdS+XN/DuWYfXp6cqrNg6P/eGUb877i+E2YoFsoqHrZV0A27IMTxOn +qTi0upysu0QyMRQo1Xd6zwjs7MyPudZ9pMoeXGu+wnFW6g8dDsnTx/SBh27sgssh +SwTnKYANztgDCGH2ySrLgX0QxseI8Y7JPNbfQDS3pkpPx5TQuO+aDQcQhXhzG94o +oez7/aUmSvAIbPKiF8Y1SQMoRms5iSNVJL8LyQNLOSDZziKT+fGzDVJhnNh3Jcn9 +Pbj5oMYkcd8YKcjZYRXlwK4rbdcvA/79b3TuFMmcZ7eiTJHiy7i/C7R9qrYyxXao +c6ZmRjNuAYpL0TnFhIy/yUe/+mhse87a4I2XTk1CE1Z1RpNI4xPDHO+7EtSyTZDV +1rBs9tA2B7t/WcXVQxZDF4MqJ02TWZRwCgxRJGCMG7d28xvZaxpuZrZ9jlosQHt4 +jEgoWvcboCCK0WOZlnpgtKwvd8SRoPoDxLJmnKc35r1dqsP4Aso= +=Qd4Q +-----END PGP SIGNATURE----- diff --git a/fetchmail-add-imap-oauthbearer-support.patch b/fetchmail-add-imap-oauthbearer-support.patch index b09e56a..d4614b2 100644 --- a/fetchmail-add-imap-oauthbearer-support.patch +++ b/fetchmail-add-imap-oauthbearer-support.patch @@ -17,8 +17,10 @@ When configured, it will also fall back on trying xoauth2. rcfile_l.l | 1 8 files changed, 136 insertions(+), 3 deletions(-) ---- a/conf.c -+++ b/conf.c +Index: fetchmail-6.4.22/conf.c +=================================================================== +--- fetchmail-6.4.22.orig/conf.c ++++ fetchmail-6.4.22/conf.c @@ -288,6 +288,8 @@ void dump_config(struct runctl *runp, st stringdump("auth", "otp"); else if (ctl->server.authenticate == A_MSN) @@ -28,9 +30,11 @@ When configured, it will also fall back on trying xoauth2. #ifdef HAVE_RES_SEARCH booldump("dns", ctl->server.dns); ---- a/fetchmail.c -+++ b/fetchmail.c -@@ -1766,6 +1766,9 @@ static void dump_params (struct runctl * +Index: fetchmail-6.4.22/fetchmail.c +=================================================================== +--- fetchmail-6.4.22.orig/fetchmail.c ++++ fetchmail-6.4.22/fetchmail.c +@@ -1776,6 +1776,9 @@ static void dump_params (struct runctl * case A_SSH: printf(GT_(" End-to-end encryption assumed.\n")); break; @@ -40,8 +44,10 @@ When configured, it will also fall back on trying xoauth2. } if (ctl->server.principal != (char *) NULL) printf(GT_(" Mail service principal is: %s\n"), ctl->server.principal); ---- a/fetchmail.h -+++ b/fetchmail.h +Index: fetchmail-6.4.22/fetchmail.h +=================================================================== +--- fetchmail-6.4.22.orig/fetchmail.h ++++ fetchmail-6.4.22/fetchmail.h @@ -79,6 +79,7 @@ struct addrinfo; #define A_SSH 8 /* authentication at session level */ #define A_MSN 9 /* same as NTLM with keyword MSN */ @@ -58,9 +64,11 @@ When configured, it will also fall back on trying xoauth2. #define PASSWORDLEN 256 /* max password length */ #define DIGESTLEN 33 /* length of MD5 digest */ ---- a/fetchmail.man -+++ b/fetchmail.man -@@ -1001,7 +1001,7 @@ AUTHENTICATION below for details). The +Index: fetchmail-6.4.22/fetchmail.man +=================================================================== +--- fetchmail-6.4.22.orig/fetchmail.man ++++ fetchmail-6.4.22/fetchmail.man +@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), @@ -69,7 +77,7 @@ When configured, it will also fall back on trying xoauth2. When \fBany\fP (the default) is specified, fetchmail tries first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, KERBEROS\ 5); then it looks for methods that mask your password -@@ -1021,6 +1021,23 @@ GSSAPI or K4. Choosing KPOP protocol au +@@ -1027,6 +1027,23 @@ GSSAPI or K4. Choosing KPOP protocol au authentication. This option does not work with ETRN. GSSAPI service names are in line with RFC-2743 and IANA registrations, see .URL https://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" . @@ -93,7 +101,7 @@ When configured, it will also fall back on trying xoauth2. .SS Miscellaneous Options .TP .B \-f | \-\-fetchmailrc -@@ -2327,7 +2344,9 @@ Legal protocol identifiers for use with +@@ -2333,7 +2350,9 @@ Legal protocol identifiers for use with .PP Legal authentication types are 'any', 'password', 'kerberos', \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' @@ -104,9 +112,11 @@ When configured, it will also fall back on trying xoauth2. The 'password' type specifies authentication by normal transmission of a password (the password may be plain text or subject to protocol-specific encryption as in CRAM-MD5); ---- a/fetchmailconf.py -+++ b/fetchmailconf.py -@@ -487,7 +487,7 @@ defaultports = {"auto":None, +Index: fetchmail-6.4.22/fetchmailconf.py +=================================================================== +--- fetchmail-6.4.22.orig/fetchmailconf.py ++++ fetchmail-6.4.22/fetchmailconf.py +@@ -500,7 +500,7 @@ defaultports = {"auto":None, "ODMR":"odmr"} authlist = ("any", "password", "gssapi", "kerberos", "ssh", "otp", @@ -115,8 +125,10 @@ When configured, it will also fall back on trying xoauth2. listboxhelp = { 'title' : 'List Selection Help', ---- a/imap.c -+++ b/imap.c +Index: fetchmail-6.4.22/imap.c +=================================================================== +--- fetchmail-6.4.22.orig/imap.c ++++ fetchmail-6.4.22/imap.c @@ -26,6 +26,10 @@ #define IMAP4 0 /* IMAP4 rev 0, RFC1730 */ #define IMAP4rev1 1 /* IMAP4 rev 1, RFC2060 */ @@ -128,16 +140,16 @@ When configured, it will also fall back on trying xoauth2. /* global variables: please reinitialize them explicitly for proper * working in daemon mode */ -@@ -38,6 +42,8 @@ static int imap_version = IMAP4; - static flag do_idle = FALSE, has_idle = FALSE; - static int expunge_period = 1; +@@ -51,6 +55,8 @@ static void clear_sessiondata(void) { + * a const initializer */ + const char *const capa_begin = " [CAPABILITY "; const unsigned capa_len = 13; +static int plus_cont_context = IPLUS_NONE; + /* mailbox variables initialized in imap_getrange() */ static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions = 0; static unsigned int startcount = 1; -@@ -202,6 +208,21 @@ static int imap_response(int sock, char +@@ -266,6 +272,21 @@ static int imap_response(int sock, char if (ok != PS_SUCCESS) return(ok); @@ -159,7 +171,7 @@ When configured, it will also fall back on trying xoauth2. /* all tokens in responses are caseblind */ for (cp = buf; *cp; cp++) if (islower((unsigned char)*cp)) -@@ -316,6 +337,69 @@ static int do_imap_ntlm(int sock, struct +@@ -396,6 +417,69 @@ static int do_imap_ntlm(int sock, struct } #endif /* NTLM */ @@ -229,9 +241,9 @@ When configured, it will also fall back on trying xoauth2. static void imap_canonicalize(char *result, char *raw, size_t maxlen) /* encode an IMAP password as per RFC1730's quoting conventions */ { -@@ -510,6 +594,26 @@ static int imap_getauth(int sock, struct - */ - ok = PS_AUTHFAIL; +@@ -577,6 +661,26 @@ static int imap_getauth(int sock, struct + for future maintenance */ + (void)ok; + if (ctl->server.authenticate == A_OAUTHBEARER) + { @@ -256,8 +268,10 @@ When configured, it will also fall back on trying xoauth2. /* Yahoo hack - we'll just try ID if it was offered by the server, * and IGNORE errors. */ { ---- a/options.c -+++ b/options.c +Index: fetchmail-6.4.22/options.c +=================================================================== +--- fetchmail-6.4.22.orig/options.c ++++ fetchmail-6.4.22/options.c @@ -421,6 +421,8 @@ int parsecmdline (int argc /** argument ctl->server.authenticate = A_ANY; else if (strcmp(optarg, "msn") == 0) @@ -267,8 +281,10 @@ When configured, it will also fall back on trying xoauth2. else { fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg); errflag++; ---- a/rcfile_l.l -+++ b/rcfile_l.l +Index: fetchmail-6.4.22/rcfile_l.l +=================================================================== +--- fetchmail-6.4.22.orig/rcfile_l.l ++++ fetchmail-6.4.22/rcfile_l.l @@ -106,6 +106,7 @@ cram(-md5)? { SETSTATE(0); yylval.proto msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;} ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;} diff --git a/fetchmail-add-query_to64_outsize-utility-function.patch b/fetchmail-add-query_to64_outsize-utility-function.patch index 240bcc3..cc13644 100644 --- a/fetchmail-add-query_to64_outsize-utility-function.patch +++ b/fetchmail-add-query_to64_outsize-utility-function.patch @@ -9,11 +9,11 @@ Git-commit: cc6e146d516140df800da68976eb7c0aa1cef7c0 fetchmail.h | 1 + 2 files changed, 8 insertions(+) -diff --git a/base64.c b/base64.c -index 3cd41691..25393b35 100644 ---- a/base64.c -+++ b/base64.c -@@ -61,6 +61,13 @@ fail: +Index: fetchmail-6.4.22/base64.c +=================================================================== +--- fetchmail-6.4.22.orig/base64.c ++++ fetchmail-6.4.22/base64.c +@@ -66,6 +66,13 @@ fail: return rc; } @@ -27,16 +27,15 @@ index 3cd41691..25393b35 100644 int from64tobits(void *out_, const char *in, int maxlen) /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ /* maxlen limits output buffer size, set to zero to ignore */ -diff --git a/fetchmail.h b/fetchmail.h -index 8b9dd6c4..2d378942 100644 ---- a/fetchmail.h -+++ b/fetchmail.h -@@ -638,6 +638,7 @@ int prc_filecheck(const char *, const flag); - +Index: fetchmail-6.4.22/fetchmail.h +=================================================================== +--- fetchmail-6.4.22.orig/fetchmail.h ++++ fetchmail-6.4.22/fetchmail.h +@@ -642,6 +642,7 @@ int prc_filecheck(const char *, const fl /* base64.c */ + unsigned len64frombits(unsigned inlen); /** calculate length needed to encode inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte himself. 2. returns 0 for inlen 0! */ int to64frombits(char *, const void *, int inlen, size_t outlen); +size_t query_to64_outsize(size_t inlen); int from64tobits(void *, const char *, int mxoutlen); /* unmime.c */ - diff --git a/fetchmail-support-oauthbearer-xoauth2-with-pop3.patch b/fetchmail-support-oauthbearer-xoauth2-with-pop3.patch index 33c232a..f107c9c 100644 --- a/fetchmail-support-oauthbearer-xoauth2-with-pop3.patch +++ b/fetchmail-support-oauthbearer-xoauth2-with-pop3.patch @@ -16,11 +16,11 @@ Git-commit: 7b5c56f0fa3acb4c5589a4747c1921a311d8a464 create mode 100644 oauth2.c create mode 100644 oauth2.h -diff --git a/Makefile.am b/Makefile.am -index 1e800085..d747f895 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -54,7 +54,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h \ +Index: fetchmail-6.4.22/Makefile.am +=================================================================== +--- fetchmail-6.4.22.orig/Makefile.am ++++ fetchmail-6.4.22/Makefile.am +@@ -68,7 +68,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h fetchmail.c env.c idle.c options.c daemon.c \ driver.c transact.c sink.c smtp.c \ idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \ @@ -29,11 +29,11 @@ index 1e800085..d747f895 100644 unmime.c conf.c checkalias.c uid_db.h uid_db.c\ lock.h lock.c \ rcfile_l.l rcfile_y.y \ -diff --git a/fetchmail.man b/fetchmail.man -index d128ece1..aece716e 100644 ---- a/fetchmail.man -+++ b/fetchmail.man -@@ -928,7 +928,7 @@ This option permits you to specify an authentication type (see USER +Index: fetchmail-6.4.22/fetchmail.man +=================================================================== +--- fetchmail-6.4.22.orig/fetchmail.man ++++ fetchmail-6.4.22/fetchmail.man +@@ -1007,7 +1007,7 @@ AUTHENTICATION below for details). The \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), @@ -42,7 +42,7 @@ index d128ece1..aece716e 100644 When \fBany\fP (the default) is specified, fetchmail tries first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, KERBEROS\ 5); then it looks for methods that mask your password -@@ -2222,8 +2222,7 @@ Legal protocol identifiers for use with the 'protocol' keyword are: +@@ -2351,8 +2351,7 @@ Legal protocol identifiers for use with Legal authentication types are 'any', 'password', 'kerberos', \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP), @@ -52,11 +52,11 @@ index d128ece1..aece716e 100644 The 'password' type specifies authentication by normal transmission of a password (the password may be plain text or subject to protocol-specific encryption as in CRAM-MD5); -diff --git a/imap.c b/imap.c -index 0ab10d31..e38706f5 100644 ---- a/imap.c -+++ b/imap.c -@@ -14,6 +14,7 @@ +Index: fetchmail-6.4.22/imap.c +=================================================================== +--- fetchmail-6.4.22.orig/imap.c ++++ fetchmail-6.4.22/imap.c +@@ -17,6 +17,7 @@ #include #include #endif @@ -64,7 +64,7 @@ index 0ab10d31..e38706f5 100644 #include "socket.h" #include "i18n.h" -@@ -329,63 +330,23 @@ static int do_imap_ntlm(int sock, struct query *ctl) +@@ -419,63 +420,23 @@ static int do_imap_ntlm(int sock, struct static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2) { @@ -134,11 +134,10 @@ index 0ab10d31..e38706f5 100644 return ok; } -diff --git a/oauth2.c b/oauth2.c -new file mode 100644 -index 00000000..a8a324b8 +Index: fetchmail-6.4.22/oauth2.c +=================================================================== --- /dev/null -+++ b/oauth2.c ++++ fetchmail-6.4.22/oauth2.c @@ -0,0 +1,61 @@ +/* + * oauth2.c -- oauthbearer and xoauth2 support @@ -201,11 +200,10 @@ index 00000000..a8a324b8 + + return oauth2b64; +} -diff --git a/oauth2.h b/oauth2.h -new file mode 100644 -index 00000000..67ebfd6e +Index: fetchmail-6.4.22/oauth2.h +=================================================================== --- /dev/null -+++ b/oauth2.h ++++ fetchmail-6.4.22/oauth2.h @@ -0,0 +1,6 @@ +#ifndef OAUTH2_H +#define OAUTH2_H @@ -213,11 +211,11 @@ index 00000000..67ebfd6e +char *get_oauth2_string(struct query *ctl,flag xoauth2); + +#endif /*OAUTH2_H*/ -diff --git a/pop3.c b/pop3.c -index 076d890e..06fc0a0d 100644 ---- a/pop3.c -+++ b/pop3.c -@@ -15,6 +15,7 @@ +Index: fetchmail-6.4.22/pop3.c +=================================================================== +--- fetchmail-6.4.22.orig/pop3.c ++++ fetchmail-6.4.22/pop3.c +@@ -20,6 +20,7 @@ #include #include "fetchmail.h" @@ -225,18 +223,18 @@ index 076d890e..06fc0a0d 100644 #include "socket.h" #include "i18n.h" #include "uid_db.h" -@@ -55,6 +56,10 @@ flag has_ntlm = FALSE; - #ifdef SSL_ENABLE +@@ -52,6 +53,10 @@ static flag has_cram = FALSE; + static flag has_otp = FALSE; + static flag has_ntlm = FALSE; static flag has_stls = FALSE; - #endif /* SSL_ENABLE */ +static flag has_oauthbearer = FALSE; +static flag has_xoauth2 = FALSE; + +static const char *next_sasl_resp = NULL; - /* mailbox variables initialized in pop3_getrange() */ - static int last; -@@ -110,12 +115,65 @@ static int pop3_ok (int sock, char *argbuf) + static void clear_sessiondata(void) { + /* must match defaults above */ +@@ -135,12 +140,65 @@ static int pop3_ok (int sock, char *argb char buf [POPBUFSIZE+1]; char *bufp; @@ -244,67 +242,69 @@ index 076d890e..06fc0a0d 100644 + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) { bufp = buf; - if (*bufp == '+' || *bufp == '-') +- bufp++; +- else + if (*bufp == '+') + { - bufp++; -+ if (*bufp == ' ' && next_sasl_resp != NULL) -+ { -+ /* Currently only used for OAUTHBEARER/XOAUTH2, and only -+ * rarely even then. -+ * -+ * This is the only case where the top while() actually -+ * loops. -+ * -+ * For OAUTHBEARER, data aftetr '+ ' is probably -+ * base64-encoded JSON with some HTTP-related error details. -+ */ -+ if (*next_sasl_resp != '\0') -+ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp)); -+ SockWrite(sock, "\r\n", 2); -+ if (outlevel >= O_MONITOR) -+ { -+ const char *found; -+ if (shroud[0] && (found = strstr(next_sasl_resp, shroud))) -+ { -+ /* enshroud() without copies, and avoid -+ * confusing with a genuine "*" (cancel). -+ */ -+ report(stdout, "POP3> %.*s[SHROUDED]%s\n", -+ (int)(found-next_sasl_resp), next_sasl_resp, -+ found+strlen(shroud)); -+ } -+ else -+ { -+ report(stdout, "POP3> %s\n", next_sasl_resp); -+ } -+ } ++ bufp++; ++ if (*bufp == ' ' && next_sasl_resp != NULL) ++ { ++ /* Currently only used for OAUTHBEARER/XOAUTH2, and only ++ * rarely even then. ++ * ++ * This is the only case where the top while() actually ++ * loops. ++ * ++ * For OAUTHBEARER, data aftetr '+ ' is probably ++ * base64-encoded JSON with some HTTP-related error details. ++ */ ++ if (*next_sasl_resp != '\0') ++ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp)); ++ SockWrite(sock, "\r\n", 2); ++ if (outlevel >= O_MONITOR) ++ { ++ const char *found; ++ if (shroud[0] && (found = strstr(next_sasl_resp, shroud))) ++ { ++ /* enshroud() without copies, and avoid ++ * confusing with a genuine "*" (cancel). ++ */ ++ report(stdout, "POP3> %.*s[SHROUDED]%s\n", ++ (int)(found-next_sasl_resp), next_sasl_resp, ++ found+strlen(shroud)); ++ } ++ else ++ { ++ report(stdout, "POP3> %s\n", next_sasl_resp); ++ } ++ } + -+ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*') -+ { -+ /* No more responses expected, cancel AUTH command if -+ * more responses requested. -+ */ -+ next_sasl_resp = "*"; -+ } -+ else -+ { -+ next_sasl_resp = ""; -+ } -+ continue; -+ } -+ } -+ else if (*bufp == '-') -+ { -+ bufp++; -+ } - else -+ { ++ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*') ++ { ++ /* No more responses expected, cancel AUTH command if ++ * more responses requested. ++ */ ++ next_sasl_resp = "*"; ++ } ++ else ++ { ++ next_sasl_resp = ""; ++ } ++ continue; ++ } ++ } ++ else if (*bufp == '-') ++ { ++ bufp++; ++ } ++ else ++ { return(PS_PROTOCOL); -+ } ++ } while (isalpha((unsigned char)*bufp)) bufp++; -@@ -184,6 +242,8 @@ static int pop3_ok (int sock, char *argbuf) +@@ -209,6 +267,8 @@ static int pop3_ok (int sock, char *argb #endif if (argbuf != NULL) strcpy(argbuf,bufp); @@ -313,22 +313,33 @@ index 076d890e..06fc0a0d 100644 } return(ok); -@@ -212,11 +272,13 @@ static int capa_probe(int sock) +@@ -237,11 +297,13 @@ static int capa_probe(int sock) #ifdef NTLM_ENABLE has_ntlm = FALSE; #endif /* NTLM_ENABLE */ -+ has_oauthbearer = FALSE; -+ has_xoauth2 = FALSE; ++ has_oauthbearer = FALSE; ++ has_xoauth2 = FALSE; ok = gen_transact(sock, "CAPA"); if (ok == PS_SUCCESS) { - char buffer[64]; + char buffer[128]; + char *cp; /* determine what authentication methods we have available */ - while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0) -@@ -246,6 +308,12 @@ static int capa_probe(int sock) +@@ -256,6 +318,10 @@ static int capa_probe(int sock) + if (strstr(buffer, "STLS")) + has_stls = TRUE; + #endif /* SSL_ENABLE */ ++static flag has_oauthbearer = FALSE; ++static flag has_xoauth2 = FALSE; ++ ++static const char *next_sasl_resp = NULL; + + #if defined(GSSAPI) + if (strstr(buffer, "GSSAPI")) +@@ -279,6 +345,12 @@ static int capa_probe(int sock) if (strstr(buffer, "CRAM-MD5")) has_cram = TRUE; @@ -341,7 +352,7 @@ index 076d890e..06fc0a0d 100644 } } done_capa = TRUE; -@@ -312,6 +380,40 @@ static int do_apop(int sock, struct query *ctl, char *greeting) +@@ -295,6 +367,40 @@ static void set_peek_capable(struct quer peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl); } @@ -382,7 +393,7 @@ index 076d890e..06fc0a0d 100644 static int pop3_getauth(int sock, struct query *ctl, char *greeting) /* apply for connection authorization */ { -@@ -436,6 +538,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) +@@ -374,6 +480,7 @@ static int pop3_getauth(int sock, struct (ctl->server.authenticate == A_KERBEROS_V5) || (ctl->server.authenticate == A_OTP) || (ctl->server.authenticate == A_CRAM_MD5) || @@ -390,7 +401,7 @@ index 076d890e..06fc0a0d 100644 maybe_starttls(ctl)) { if ((ok = capa_probe(sock)) != PS_SUCCESS) -@@ -540,6 +643,19 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) +@@ -523,6 +630,19 @@ static int pop3_getauth(int sock, struct /* * OK, we have an authentication type now. */ @@ -410,6 +421,3 @@ index 076d890e..06fc0a0d 100644 #if defined(KERBEROS_V4) /* * Servers doing KPOP have to go through a dummy login sequence --- -2.31.1 - diff --git a/fetchmail.changes b/fetchmail.changes index 759c936..50c2f2d 100644 --- a/fetchmail.changes +++ b/fetchmail.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Wed Oct 6 15:00:19 UTC 2021 - Pedro Monreal + +- Update to 6.4.22: [bsc#1190069, CVE-2021-39272] + * OPENSSL AND LICENSING NOTE: + - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. + OpenSSL's licensing changed between these releases from dual + OpenSSL/SSLeay license to Apache License v2.0, which is + considered incompatible with GPL v2 by the FSF. For + implications and details, see the file COPYING. + * SECURITY FIXES: + - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, + without --ssl and with nonempty --sslproto, meaning that + fetchmail is to enforce TLS, and when the server or an attacker + sends a PREAUTH greeting, fetchmail used to continue an + unencrypted connection. Now, log the error and abort the + connection. --Recommendation for servers that support + SSL/TLS-wrapped or "implicit" mode on a dedicated port + (default 993): use --ssl, or the ssl user option in an rcfile. + - On IMAP and POP3 connections, --auth ssh no longer prevents + STARTTLS negotiation. + - On IMAP connections, fetchmail does not permit overriding + a server-side LOGINDISABLED with --auth password any more. + - On POP3 connections, the possibility for RPA authentication + (by probing with an AUTH command without arguments) no longer + prevents STARTTLS negotiation. + - For POP3 connections, only attempt RPA if the authentication + type is "any". + * BUG FIXES: + - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we + have received the tagged (= final) response, do not send "*". + - On IMAP connections, AUTHENTICATE EXTERNAL without username + will properly send a "=" for protocol compliance. + - On IMAP connections, AUTHENTICATE EXTERNAL will now check if + the server advertised SASL-IR (RFC-4959) support and otherwise + refuse (fetchmail <= 6.4 has not supported and does not support + the separate challenge/response with command continuation) + - On IMAP connections, when --auth external is requested but not + advertised by the server, log a proper error message. + - Fetchmail no longer crashes when attempting a connection with + --plugin "" or --plugout "". + - Fetchmail no longer leaks memory when processing the arguments + of --plugin or --plugout on connections. + - On POP3 connections, the CAPAbilities parser is now caseblind. + - Fix segfault on configurations with "defaults ... no envelope". + This is a regression in fetchmail 6.4.3 and happened when + plugging memory leaks, which did not account for that the + envelope parameter is special when set as "no envelope". The + segfault happens in a constant strlen(-1), triggered by trusted + local input => no vulnerability. + - Fix program abort (SIGABRT) with "internal error" when invalid + sslproto is given with OpenSSL 1.1.0 API compatible SSL + implementations. + * CHANGES: + - IMAP: When fetchmail is in not-authenticated state and the server + volunteers CAPABILITY information, use it and do not re-probe. + (After STARTTLS, fetchmail must and will re-probe explicitly.) + - For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl + option do not match, emit a warning and continue. + - fetchmail.man and README.SSL were updated in line with + RFC-8314/8996/8997 recommendations to prefer Implicit TLS + (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ + more prominently. The defaults shall not change between 6.4.X + releases for compatibility. + * Rebase patches: + fetchmail-add-imap-oauthbearer-support.patch + fetchmail-add-query_to64_outsize-utility-function.patch + fetchmail-support-oauthbearer-xoauth2-with-pop3.patch + ------------------------------------------------------------------- Tue Sep 14 08:55:42 UTC 2021 - Johannes Segitz diff --git a/fetchmail.spec b/fetchmail.spec index 8f0b92e..d01ad67 100644 --- a/fetchmail.spec +++ b/fetchmail.spec @@ -21,7 +21,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: fetchmail -Version: 6.4.21 +Version: 6.4.22 Release: 0 Summary: Full-Featured POP and IMAP Mail Retrieval Daemon License: GPL-2.0-or-later