2. Problem description and Impact ================================= Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration. On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end. 3. Solution =========== Install fetchmail 6.4.20 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. Distributors are encouraged to review the NEWS file and move forward to 6.4.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation, or translation updates. Fetchmail 6.4.X releases have been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface incompatibly.
Package list is empty or all packages have requested keywords.
6.4.20 only contains the mentioned security fix on top of our current stable 6.4.19, so we can bump and mark it stable safely.
(In reply to Bernard Cafarelli from comment #9) > 6.4.20 only contains the mentioned security fix on top of our current stable > 6.4.19, so we can bump and mark it stable safely. Thank you!
x86 done
sparc stable
amd64 done
arm done
ppc64 done
ppc done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f190d1fd7da098624e5f9bed8f534c53b07d91c commit 1f190d1fd7da098624e5f9bed8f534c53b07d91c Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-08-03 19:58:27 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-08-03 19:58:27 +0000 net-mail/fetchmail: drop vulnerable version Bug: https://bugs.gentoo.org/804921 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-mail/fetchmail/Manifest | 1 - net-mail/fetchmail/fetchmail-6.4.19.ebuild | 107 ----------------------------- 2 files changed, 108 deletions(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfcd4678edd09ba6315f6d4fd358455772e2f957 commit dfcd4678edd09ba6315f6d4fd358455772e2f957 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-08-21 16:07:08 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-08-21 16:07:23 +0000 net-mail/fetchmail: 6.4.21 direct stable bump This is a regression fix on security stable 6.4.20, see upstream README Bug: https://bugs.gentoo.org/804921 Package-Manager: Portage-3.0.20, Repoman-3.0.3 RepoMan-Options: --force Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-mail/fetchmail/Manifest | 2 +- net-mail/fetchmail/{fetchmail-6.4.20.ebuild => fetchmail-6.4.21.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
Unable to check for sanity: > no match for package: net-mail/fetchmail-6.4.20
Unable to check for sanity: > no match for package: net-mail/fetchmail-6.4.21
GLSA request filed
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=10e37684de32c903d014e181ca429e2850397264 commit 10e37684de32c903d014e181ca429e2850397264 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:35:56 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-14 ] Fetchmail: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/804921 Bug: https://bugs.gentoo.org/810676 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-14.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)