From 79e260e2aeae956e743795a5da3e7f362b213abbaf38ae7549294dea3e62a3b6 Mon Sep 17 00:00:00 2001 From: Dirk Stoecker Date: Tue, 3 Aug 2021 08:51:27 +0000 Subject: [PATCH] Accepting request 909104 from home:pmonrealgonzalez:branches:server:mail - Update to 6.4.20: [bsc#1188875, CVE-2021-36386] * CVE-2021-36386: DoS or information disclosure in some configurations. When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. OBS-URL: https://build.opensuse.org/request/show/909104 OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=117 --- fetchmail-6.4.19.tar.xz | 3 --- fetchmail-6.4.19.tar.xz.asc | 16 ---------------- fetchmail-6.4.20.tar.xz | 3 +++ fetchmail-6.4.20.tar.xz.asc | 16 ++++++++++++++++ fetchmail.changes | 15 +++++++++++++++ fetchmail.spec | 2 +- 6 files changed, 35 insertions(+), 20 deletions(-) delete mode 100644 fetchmail-6.4.19.tar.xz delete mode 100644 fetchmail-6.4.19.tar.xz.asc create mode 100644 fetchmail-6.4.20.tar.xz create mode 100644 fetchmail-6.4.20.tar.xz.asc diff --git a/fetchmail-6.4.19.tar.xz b/fetchmail-6.4.19.tar.xz deleted file mode 100644 index 130a495..0000000 --- a/fetchmail-6.4.19.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cd8d11a3d103e50caa2ec64bcda6307eb3d0783a4d4dfd88e668b81aaf9d6b5f -size 1316672 diff --git a/fetchmail-6.4.19.tar.xz.asc b/fetchmail-6.4.19.tar.xz.asc deleted file mode 100644 index cfd79b8..0000000 --- a/fetchmail-6.4.19.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmCEEUkACgkQ5BKxVu/z -hVruog/+JAMIKFcNMT3z70vFJaFynuDirNNVBYXhjd62LBwDB8hCmscOAQ10ItQC -QZ4rWfn2DBDta+4KN9bW88VYP33iiPM/q8sx9pH4g0j0TpqD9QCiPUy8knJlSkGR -21nRx7D/Zw/He8sPu9wG7tfXLRY58G7MmPbyQe/ofudHInV2btDJ6eFWXh8F8yWr -VafGsW6uDcmJBjn/x6XrnFOfyGEcUvjgR0kMJqDoGeKiplDvBglU1IgFwU5Gjkqa -WEg/BVuGhFQTUDyBnaiq5FA0LBg5VUonAC5u0dTS2ZjiGbkKy4HLbOA0NKaiJuO6 -AlGvvaPTH1Bb33ZPtEv927wTe2t7fVIFp76nuGNyrCeIBtzdZObuynidpdUOqIvj -WfhP+1GSZOikQEYN4z2cFgaHLZnOC5vfFJLlFSmUVfYOXicHnK9a4oPPPTcqT1KJ -3ErldZptqGV82B0cXT6hLCVma1DZolI1TVa8Kusqxy2IBw12j7RAdxyGAyKR34MI -zucHBaEde8NtOAbf5MSVQ6WlsX/qa5MUT0VrmCAtarVFwFECiZJEw0LXHUSUbz9E -84IrrOWmzBFTfICNkaT8ZOax+4u0Ja2PAE4mSnNBcf9hM9LbveABnEAVLBEwV75F -nLLNYBI2WRjaChBJUsiGcrZn+vTzyy/bZqENRXvffYd4R/V3jSY= -=wQTQ ------END PGP SIGNATURE----- diff --git a/fetchmail-6.4.20.tar.xz b/fetchmail-6.4.20.tar.xz new file mode 100644 index 0000000..090dfc1 --- /dev/null +++ b/fetchmail-6.4.20.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c82141ae2e8f0039ceb0c5c2eda43c5e93ad0bf7f9c6bb628092b3be74386176 +size 1317204 diff --git a/fetchmail-6.4.20.tar.xz.asc b/fetchmail-6.4.20.tar.xz.asc new file mode 100644 index 0000000..d95f188 --- /dev/null +++ b/fetchmail-6.4.20.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBhtMACgkQ5BKxVu/z +hVoVQBAAlSjS4HaUnnHFiNNtCP0QITl/7+a1tCS3E8HdAOyn+kU2idHJnFmQ/2jL +Z2qkpXaKa8kvJHr/I603xJFxf9IMpLu2qD0IjMFOgzTjGWc7b/Vk1n1n88Oeo34V +sGfMqxnqzeqW8ejdptbHFq4oJcfV1rZhT6w2mXwNJiH0e8w6EX4xqR/xU1Jyqvxo +dmJpKt1uPGvkenSZvetyO4flwQKCwFGS6mx6taPpbHC4LsfugE+AP1AKPnEFg+Ai +p1+5ieSkuSxIJc09EYw5ahfch2txV6cxX1qKkaWrmYkjfzKl2XyUOoUT+KjZBihR +CwA5W4ybNxbIOOo9r1+UB8kQslhjDbpJuCnNEt3HpOzcGCHtEHbYqJhyvUq/DO19 +fYKSmg2DcC709oM3drQOXBk2NV5YJ6QWoBvEp3f169ZvsO+clwkPumUXADUdM8EK +vwzwdn+a0LyoET+xmB5CSfxHwr8sizO2sihm6nZBR+hGQgoTkyRg7OckxAQu9Q/9 +dZ2S1srB2cWurrl/BIJYFTIWXV8Y66HI5USv1y5fAUFR4uFJVh/oQuhp3Jnykf9m +Fgsb37MHK2EycwmYmIXMRyGpJ7w2EjBdoePYwi/YFJzHVuSSzC3k3Iz738xDgxA6 +ikE11M+GN+qXzyCfMQfE4l6MMvBZoB41mPm01j28nWMSZ7a9Glg= +=brTa +-----END PGP SIGNATURE----- diff --git a/fetchmail.changes b/fetchmail.changes index c9939e6..8a1df17 100644 --- a/fetchmail.changes +++ b/fetchmail.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Jul 29 07:57:07 UTC 2021 - Pedro Monreal + +- Update to 6.4.20: [bsc#1188875, CVE-2021-36386] + * CVE-2021-36386: DoS or information disclosure in some configurations. + When a log message exceeds c. 2 kByte in size, for instance, + with very long header contents, and depending on verbosity + option, fetchmail can crash or misreport each first log message + that requires a buffer reallocation. fetchmail then reallocates + memory and re-runs vsnprintf() without another call to va_start(), + so it reads garbage. The exact impact depends on many factors + around the compiler and operating system configurations used and + the implementation details of the stdarg.h interfaces of the two + functions mentioned before. + ------------------------------------------------------------------- Thu May 13 16:57:09 UTC 2021 - Jeff Mahoney diff --git a/fetchmail.spec b/fetchmail.spec index 3a0914d..d541ff3 100644 --- a/fetchmail.spec +++ b/fetchmail.spec @@ -21,7 +21,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: fetchmail -Version: 6.4.19 +Version: 6.4.20 Release: 0 Summary: Full-Featured POP and IMAP Mail Retrieval Daemon License: GPL-2.0-or-later