Bug 391387

Summary:	mail-client/alpine bundles a vunerable copy of uw-imap/c-client (fails to build with USE=ssl and USE=kerberos), GLSA 200911-03
Product:	Gentoo Linux	Reporter:	Kacper Kowalik (Xarthisius) (RETIRED) <xarthisius>
Component:	Current packages	Assignee:	Sascha Lucas <sascha_lucas>
Status:	RESOLVED FIXED
Severity:	normal	CC:	andy.dalton, atoth, bug, cedric.godin, che, gentoo_bugs_2_peep, gseanmcg, kwilson, longbow, net-mail+disabled, security, srcshelton, tpfaff, vereecke.jan
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	251464
Attachments:	build log add -lcrypto to LIBS

Description Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-11-22 15:06:35 UTC

Created attachment 293411 [details]
build log

Portage 2.2.0_alpha77 (default/linux/amd64/10.0, gcc-4.6.2, glibc-2.13-r4, 3.1.0-gentoo x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.1.0-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P9600_@_2.66GHz-with-gentoo-2.1
Timestamp of tree: Tue, 22 Nov 2011 01:45:02 +0000
ccache version 3.1.6 [disabled]
app-shells/bash:          4.2_p10
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/ccache:          3.1.6
dev-util/cmake:           2.8.6-r3
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          0.9.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.10.3, 1.11.1-r1
sys-devel/binutils:       2.22
sys-devel/gcc:            4.5.3-r1, 4.6.2
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo science
Installed sets: @kernel-dep, @system, @x11-drivers
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA skype-eula dlj-1.1 AdobeFlash-10.1 PUEL google-chrome google-talkplugin Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet-build=n"
FEATURES="assume-digests binpkg-logs buildpkg distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-elog split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="POSIX"
LC_ALL="POSIX"
LDFLAGS="-Wl,--as-needed -Wl,--hash-style=gnu,-O1"
LINGUAS="en pl"
MAKEOPTS="-j4"
PKGDIR="/opt/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/sci"
SYNC="rsync://ladon/gentoo-portage"
USE="X acl acpi alsa amd64 aspell bash-completion bluetooth bzip2 cli consolekit cracklib crypt cups cxx dbus dell dhclient djvu dri enca fortran gd gdlib gnome gnome-keyring gpm gtk hdf5 hvm iconv icu imagemagick jpeg lapack laptop latex libnotify mmx modules mp3 mpi mudflap multilib ncurses networkmanager nls nptl nptlonly ntp ogg opengl openmp pam pcre pdf png policykit pppd python qt3support readline session slang spell sse sse2 ssl startup-notification sysfs tcpd theora threads thunar truetype udev unicode usb vim-syntax xinerama xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="lvm syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" PHP_TARGETS="php5-3" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Thomas Pfaff 2011-11-24 11:25:02 UTC

Created attachment 293611 [details, diff]
add -lcrypto to LIBS

I don't know what might have changed, but after adding -lcrypto to libs it works.

Following patch is required for the ebuild :


--- /usr/portage/mail-client/alpine/alpine-2.00-r4.ebuild       2011-09-03 19:01:16.000000000 +0200
+++ alpine-2.00-r4.ebuild       2011-11-24 12:09:02.841176822 +0100
@@ -4,7 +4,7 @@
 
 EAPI="2"
 
-inherit eutils flag-o-matic
+inherit eutils autotools flag-o-matic
 
 # http://staff.washington.edu/chappa/alpine/patches/${P}/log.txt
 CHAPPA_PL="73"
@@ -64,7 +64,10 @@
 src_prepare() {
        use chappa && epatch "${DISTDIR}"/${P}-chappa-${CHAPPA_PL}-all.patch.gz
        use topal && epatch /usr/share/topal/patches/${P}.patch-{1,2}
-
+       if use ssl ; then
+               epatch "${FILESDIR}"/2.00-lcrypto.patch
+               eautoreconf
+       fi
        epatch "${FILESDIR}"/2.00-lpam.patch
        cd "${S}/imap/src/c-client"
        epatch "${FILESDIR}"/CVE-2008-5514.patch

Comment 2 Thomas Pfaff 2011-11-25 10:44:32 UTC

Digging a little deeper i found that this is caused by the recent binutils update to 2.22. Building with the former release 2.21.1 worked without adding lcrypto to LDFLAGS.

Comment 3 Sascha Lucas 2012-02-13 20:45:53 UTC

Hi,

(In reply to comment #2)
> Digging a little deeper i found that this is caused by the recent binutils
> update to 2.22. Building with the former release 2.21.1 worked without adding
> lcrypto to LDFLAGS.

thanks a lot for your investigation. i'm working to push this into main portage-tree.

Sascha.

Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-10-08 18:23:36 UTC

*** Bug 431454 has been marked as a duplicate of this bug. ***

Comment 5 Eray Aslan gentoo-dev

2012-10-08 18:42:55 UTC

(In reply to comment #3)
> thanks a lot for your investigation. i'm working to push this into main
> portage-tree.

ping?  With mail-client/pine masked for removal, this bug is somewhat more urgent now.  Thanks.

Comment 6 Robin Johnson archtester

2012-10-08 18:50:23 UTC

In the alpine source, the directory 'imap' is the upstream uw-imap imap source, of an intermediate unreleased version, labelled 2007c, between the released 2007b and 2007d.

As such, it has the two security vulnerabilities for c-client as described by GLSA 200911-03.

It should link dynamically against virtual/imap-c-client, and NOT used the bundled version at all.

This will also provide you with all of the other fixes in the uw-imap/c-client package for free.

Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-10-08 19:09:45 UTC

*** Bug 267918 has been marked as a duplicate of this bug. ***

Comment 8 Eray Aslan gentoo-dev

2012-10-15 13:27:15 UTC

(In reply to comment #6)
> It should link dynamically against virtual/imap-c-client, and NOT used the
> bundled version at all.

Should be "fixed" in =mail-client/alpine-2.00-r5.  In order not to lose maildir support in alpine, part of the Chappa patches moved to c-client library.  Too much of a hack and nothing to be proud of but the alternative was worse.

I have decided against using Chappa patches for net-mail/uw-imap -the daemon- and only patched net-libs/c-client.

Please let me know if you have any problems/suggestions.  The code shows its age and is not pleasant to work with btw.

Comment 9 torben.hensgens 2012-10-15 19:02:31 UTC

Currently installed alpine-2.00-r5, seems to work, no problems so far. :)

Comment 10 Eray Aslan gentoo-dev

2012-10-23 05:35:53 UTC

*** Bug 439266 has been marked as a duplicate of this bug. ***

Comment 11 Eray Aslan gentoo-dev

2012-10-31 04:53:56 UTC

*** Bug 440246 has been marked as a duplicate of this bug. ***

Comment 12 snIP3r 2012-11-30 20:00:16 UTC

hi all!

i am a little confused about the update of alpine to 2.00-r5 cause it causes a block here with my uw-imap installation:

area52 ~ # emerge -av alpine

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] net-libs/c-client-2007f-r4  USE="chappa ipv6 pam ssl -doc -kerberos -static-libs -topal" 30 kB
[ebuild     U  ] mail-client/alpine-2.00-r5 [2.00-r4] USE="chappa ipv6 nls -doc -kerberos -ldap -onlyalpine -passfile -smime -spell -ssl -threads -t                            opal" 208 kB
[blocks B      ] net-libs/c-client ("net-libs/c-client" is blocking net-mail/uw-imap-2007f-r1)
[blocks B      ] net-mail/uw-imap ("net-mail/uw-imap" is blocking net-libs/c-client-2007f-r4)

Total: 2 packages (1 upgrade, 1 new), Size of downloads: 238 kB
Conflict: 2 blocks (2 unsatisfied)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (net-libs/c-client-2007f-r4::gentoo, ebuild scheduled for merge) pulled in by
    >=net-libs/c-client-2007f-r4[-topal,chappa] required by (mail-client/alpine-2.00-r5::gentoo, ebuild scheduled for merge)

  (net-mail/uw-imap-2007f-r1::gentoo, installed) pulled in by
    net-mail/uw-imap required by @selected


For more information about Blocked Packages, please refer to the following
section of the Gentoo Linux x86 Handbook (architecture is irrelevant):

http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1#blocked


The following USE changes are necessary to proceed:
#required by mail-client/alpine-2.00-r5, required by @selected, required by @world (argument)
>=net-libs/c-client-2007f-r4 chappa

Use --autounmask-write to write changes to config files (honoring CONFIG_PROTECT).

i hope theres a way out of this confusion...

Comment 13 Eray Aslan gentoo-dev

2012-11-30 20:25:00 UTC

(In reply to comment #12)
> i am a little confused about the update of alpine to 2.00-r5 cause it causes
> a block here with my uw-imap installation:

Correct.  Unfortunately, we do not support alpine and uw-imap at the same time currently (because of unbundling of c-client library).  One has to patch uw-imap with chappa patches to support alpine and I do not think patching uw-imap is such a good idea.  Some other text based mail client might be a possible solution.