[fetchmail] Fix CVE-2011-1947

vcrhonek vcrhonek at fedoraproject.org
Thu Jun 2 14:46:23 UTC 2011 

commit 6185e3d2fcca5605334fd7c943333636698bb1f7
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date:   Thu Jun 2 16:46:05 2011 +0200

    Fix CVE-2011-1947

 fetchmail-6.3.19-cve-2011-1947.patch |   76 ++++++++++++++++++++++++++++++++++
 fetchmail.spec                       |    7 +++-
 2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/fetchmail-6.3.19-cve-2011-1947.patch b/fetchmail-6.3.19-cve-2011-1947.patch
new file mode 100644
index 0000000..2f14096
--- /dev/null
+++ b/fetchmail-6.3.19-cve-2011-1947.patch
@@ -0,0 +1,76 @@
+commit 7dc67b8cf06f74aa57525279940e180c99701314
+Author: Matthias Andree <matthias.andree at gmx.de>
+Date:   Thu May 26 01:47:41 2011 +0200
+
+    Run S(TART)TLS negotiation under timeout alarm.
+    
+    Reported missing by Thomas Jarosch.
+
+diff --git a/imap.c b/imap.c
+index dca3bab..397b391 100644
+--- a/imap.c
++++ b/imap.c
+@@ -447,9 +447,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
+ 	     * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+ 	     * (see below). */
+ 	    if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
+-		    && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++		    && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ 			ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+-			ctl->server.pollname, &ctl->remotename) != -1)
++			ctl->server.pollname, &ctl->remotename)) != -1)
+ 	    {
+ 		/*
+ 		 * RFC 2595 says this:
+@@ -473,9 +473,11 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
+ 	    } else if (must_tls(ctl)) {
+ 		/* Config required TLS but we couldn't guarantee it, so we must
+ 		 * stop. */
++		set_timeout(0);
+ 		report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
+ 		return PS_SOCKET;
+ 	    } else {
++		set_timeout(0);
+ 		if (outlevel >= O_VERBOSE) {
+ 		    report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue\n"), commonname);
+ 		}
+diff --git a/pop3.c b/pop3.c
+index 3def391..9cf8494 100644
+--- a/pop3.c
++++ b/pop3.c
+@@ -448,9 +448,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ 		* whether TLS is mandatory or opportunistic unless SSLOpen() fails
+ 		* (see below). */
+ 	       if (gen_transact(sock, "STLS") == PS_SUCCESS
+-		       && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ 			   ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+-			   ctl->server.pollname, &ctl->remotename) != -1)
++			   ctl->server.pollname, &ctl->remotename)) != -1)
+ 	       {
+ 		   /*
+ 		    * RFC 2595 says this:
+@@ -465,6 +465,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ 		    * Now that we're confident in our TLS connection we can
+ 		    * guarantee a secure capability re-probe.
+ 		    */
++		   set_timeout(0);
+ 		   done_capa = FALSE;
+ 		   ok = capa_probe(sock);
+ 		   if (ok != PS_SUCCESS) {
+@@ -477,6 +478,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ 	       } else if (must_tls(ctl)) {
+ 		   /* Config required TLS but we couldn't guarantee it, so we must
+ 		    * stop. */
++		   set_timeout(0);
+ 		   report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
+ 		   return PS_SOCKET;
+ 	       } else {
+@@ -485,6 +487,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
+ 		    * allowed til post-authentication), so leave it in an unknown
+ 		    * state, mark it as such, and check more carefully if things
+ 		    * go wrong when we try to authenticate. */
++		   set_timeout(0);
+ 		   connection_may_have_tls_errors = TRUE;
+ 		   if (outlevel >= O_VERBOSE)
+ 		   {
diff --git a/fetchmail.spec b/fetchmail.spec
index c63120d..618e0b2 100644
--- a/fetchmail.spec
+++ b/fetchmail.spec
@@ -4,9 +4,10 @@
 Summary: A remote mail retrieval and forwarding utility
 Name: fetchmail
 Version: 6.3.19
-Release: 4%{?dist}
+Release: 5%{?dist}
 Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz
 Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc
+Patch0: fetchmail-6.3.19-cve-2011-1947.patch
 URL: http://fetchmail.berlios.de/
 # For a breakdown of the licensing, see COPYING
 License: GPL+ and Public Domain
@@ -44,6 +45,7 @@ need to have Python and Tk installed in order to use fetchmailconf.
 
 %prep
 %setup -q
+%patch0 -p1 -b .cve-2011-1947
 
 %build
 %configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
@@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Jun 02 2011 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.19-5
+- Fix CVE-2011-1947
+
 * Mon Mar 07 2011 Vitezslav Crhonek <vcrhonek at redhat.com> - 6.3.19-4
 - Remove server(smtp) dependency

More information about the scm-commits mailing list