1
=== modified file 'debian/changelog'
2
--- debian/changelog	2009-08-11 12:03:52 +0000
3
+++ debian/changelog	2010-04-01 23:32:23 +0000
4
@@ -1,3 +1,13 @@
5
1
fetchmail (6.3.8-10ubuntu1.2) hardy-security; urgency=low
6
2
7
3
  * SECURITY UPDATE: Corrects a denial of service attack that can crash 
8
4
    fetchmail when running in -v -v mode via malformed mail messages
9
5
    with long headers (LP: #240549)
10
6
    - debian/patches/07_fix_CVE-2008-2711_DoS.patch: Taken from intrepid
11
7
    - CVE-2008-2711
12
8
13
9
 -- Artur Rona <ari-tczew@tlen.pl>  Fri, 02 Apr 2010 00:41:08 +0200
14
10
15
1
fetchmail (6.3.8-10ubuntu1.1) hardy-security; urgency=low
11
fetchmail (6.3.8-10ubuntu1.1) hardy-security; urgency=low
16
2
12
17
3
  * SECURITY UPDATE: SSL cert validation bypass via NULL bytes.
13
  * SECURITY UPDATE: SSL cert validation bypass via NULL bytes.
18
4
14
19
=== added file 'debian/patches/07_fix_CVE-2008-2711_DoS.patch'
20
--- debian/patches/07_fix_CVE-2008-2711_DoS.patch	1970-01-01 00:00:00 +0000
21
+++ debian/patches/07_fix_CVE-2008-2711_DoS.patch	2010-04-01 23:32:23 +0000
22
@@ -0,0 +1,60 @@
23
1
From: Michael Casadevall <sonicmctails@gmail.com>
24
2
Description: CVE-2008-2711 - fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.
25
3
Origin: http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt
26
4
Bug: https://launchpad.net/bugs/240549
27
5
Author: Matthias Andree 
28
6
29
7
Index: fetchmail-6.3.8/report.c
30
8
===================================================================
31
9
--- fetchmail-6.3.8.orig/report.c	2008-10-21 08:22:29.000000000 -0400
32
10
+++ fetchmail-6.3.8/report.c	2008-10-21 08:24:50.000000000 -0400
33
11
@@ -238,11 +238,17 @@
34
12
     rep_ensuresize();
35
13
 
36
14
 #if defined(VA_START)
37
15
-    VA_START (args, message);
38
16
     for ( ; ; )
39
17
     {
40
18
+       /*
41
19
+        * args has to be initialized before every call of vsnprintf(),
42
20
+        * because vsnprintf() invokes va_arg macro and thus args is
43
21
+        * undefined after the call
44
22
+        */
45
23
+    VA_START (args, message);
46
24
 	n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
47
25
 		       message, args);
48
26
+	va_end (args);
49
27
 
50
28
 	if (n >= 0
51
29
 	    && (unsigned)n < partial_message_size - partial_message_size_used)
52
30
@@ -254,7 +260,6 @@
53
31
 	partial_message_size += 2048;
54
32
 	partial_message = REALLOC (partial_message, partial_message_size);
55
33
     }
56
34
-    va_end (args);
57
35
 #else
58
36
     for ( ; ; )
59
37
     {
60
38
@@ -304,12 +309,13 @@
61
39
     rep_ensuresize();
62
40
 
63
41
 #if defined(VA_START)
64
42
-    VA_START (args, message);
65
43
     for ( ; ; )
66
44
     {
67
45
+    VA_START (args, message);
68
46
 	n = vsnprintf (partial_message + partial_message_size_used,
69
47
 		       partial_message_size - partial_message_size_used,
70
48
 		       message, args);
71
49
+	va_end (args);
72
50
 
73
51
 	/* old glibc versions return -1 for truncation */
74
52
 	if (n >= 0
75
53
@@ -322,7 +328,6 @@
76
54
 	partial_message_size += 2048;
77
55
 	partial_message = REALLOC (partial_message, partial_message_size);
78
56
     }
79
57
-    va_end (args);
80
58
 #else
81
59
     for ( ; ; )
82
60
     {
83
0
61
84
=== modified file 'debian/patches/series'
85
--- debian/patches/series	2009-08-11 12:03:52 +0000
86
+++ debian/patches/series	2010-04-01 23:32:23 +0000
87
@@ -3,3 +3,4 @@
88
3
03_capa_probe.patch
3
03_capa_probe.patch
89
4
04_fix_CVE-2007-4565_DoS.patch
4
04_fix_CVE-2007-4565_DoS.patch
90
5
06_cert_0_byte.patch
5
06_cert_0_byte.patch
91
6
07_fix_CVE-2008-2711_DoS.patch
Reviewer	Date Requested	Status
Artur Rona		Pending
Ubuntu branches	2010-04-01	Pending
Review via email: mp+22671@code.launchpad.net