[fetchmail] Fix CVE-2011-1947
vcrhonek
vcrhonek at fedoraproject.org
Thu Jun 2 14:46:23 UTC 2011
commit 6185e3d2fcca5605334fd7c943333636698bb1f7
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date: Thu Jun 2 16:46:05 2011 +0200
Fix CVE-2011-1947
fetchmail-6.3.19-cve-2011-1947.patch | 76 ++++++++++++++++++++++++++++++++++
fetchmail.spec | 7 +++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/fetchmail-6.3.19-cve-2011-1947.patch b/fetchmail-6.3.19-cve-2011-1947.patch
new file mode 100644
index 0000000..2f14096
--- /dev/null
+++ b/fetchmail-6.3.19-cve-2011-1947.patch
@@ -0,0 +1,76 @@
+commit 7dc67b8cf06f74aa57525279940e180c99701314
+Author: Matthias Andree <matthias.andree at gmx.de>
+Date: Thu May 26 01:47:41 2011 +0200
+
+ Run S(TART)TLS negotiation under timeout alarm.
+
+ Reported missing by Thomas Jarosch.
+
+diff --git a/imap.c b/imap.c
+index dca3bab..397b391 100644
+--- a/imap.c
++++ b/imap.c
+@@ -447,9 +447,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
+ * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+ * (see below). */
+ if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
+- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+- ctl->server.pollname, &ctl->remotename) != -1)
++ ctl->server.pollname, &ctl->remotename)) != -1)
+ {
+ /*
+ * RFC 2595 says this:
+@@ -473,9 +473,11 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
+ } else if (must_tls(ctl)) {
+ /* Config required TLS but we couldn't guarantee it, so we must
+ * stop. */
++ set_timeout(0);
+ report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
+ return PS_SOCKET;
+ } else {
++ set_timeout(0);
+ if (outlevel >= O_VERBOSE) {
+ report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue\n"), commonname);
+ }
+diff --git a/pop3.c b/pop3.c
+index 3def391..9cf8494 100644
+--- a/pop3.c
++++ b/pop3.c
+@@ -448,9 +448,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+ * (see below). */
+ if (gen_transact(sock, "STLS") == PS_SUCCESS
+- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+- ctl->server.pollname, &ctl->remotename) != -1)
++ ctl->server.pollname, &ctl->remotename)) != -1)
+ {
+ /*
+ * RFC 2595 says this:
+@@ -465,6 +465,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ * Now that we're confident in our TLS connection we can
+ * guarantee a secure capability re-probe.
+ */
++ set_timeout(0);
+ done_capa = FALSE;
+ ok = capa_probe(sock);
+ if (ok != PS_SUCCESS) {
+@@ -477,6 +478,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ } else if (must_tls(ctl)) {
+ /* Config required TLS but we couldn't guarantee it, so we must
+ * stop. */
++ set_timeout(0);
+ report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
+ return PS_SOCKET;
+ } else {
+@@ -485,6 +487,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ * allowed til post-authentication), so leave it in an unknown
+ * state, mark it as such, and check more carefully if things
+ * go wrong when we try to authenticate. */
++ set_timeout(0);
+ connection_may_have_tls_errors = TRUE;
+ if (outlevel >= O_VERBOSE)
+ {
diff --git a/fetchmail.spec b/fetchmail.spec
index c63120d..618e0b2 100644
--- a/fetchmail.spec
+++ b/fetchmail.spec
@@ -4,9 +4,10 @@
Summary: A remote mail retrieval and forwarding utility
Name: fetchmail
Version: 6.3.19
-Release: 4%{?dist}
+Release: 5%{?dist}
Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz
Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc
+Patch0: fetchmail-6.3.19-cve-2011-1947.patch
URL: http://fetchmail.berlios.de/
# For a breakdown of the licensing, see COPYING
License: GPL+ and Public Domain
@@ -44,6 +45,7 @@ need to have Python and Tk installed in order to use fetchmailconf.
%prep
%setup -q
+%patch0 -p1 -b .cve-2011-1947
%build
%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
@@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Thu Jun 02 2011 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.19-5
+- Fix CVE-2011-1947
+
* Mon Mar 07 2011 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.19-4
- Remove server(smtp) dependency
More information about the scm-commits
mailing list