Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchmail: 6.4.16 -> 6.4.20 #131898

Merged
merged 1 commit into from
Jul 29, 2021
Merged

fetchmail: 6.4.16 -> 6.4.20 #131898

merged 1 commit into from
Jul 29, 2021

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented Jul 28, 2021
edited
Loading

Motivation for this change

https://www.openwall.com/lists/oss-security/2021/07/28/5

Fixes: CVE-2021-36386

Fetchmail has long had support to assemble log/error messages that are
generated piecemeal, and takes care to reallocate the output buffer as needed.
In the reallocation case, i. e. when long log messages are assembled that can
stem from very long headers, and on systems that have a varargs.h/stdarg.h
interface (all modern systems), fetchmail's code would fail to reinitialize
the va_list argument to vsnprintf.

The exact effects depend on the verbose mode (how many -v are given) of
fetchmail, computer architecture, compiler, operating system and
configuration. On some systems, the code just works without ill effects, some
systems log a garbage message (potentially disclosing sensitive information),
some systems log literally "(null)", some systems trigger SIGSEGV (signal
#11), which crashes fetchmail, causing a denial of service on fetchmail's end.

Qualifies for a direct backport

Distributors are encouraged to review the NEWS file and move forward to
6.4.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation,
or translation updates.

Fetchmail 6.4.X releases have been made with a focus on unchanged user and
program interfaces so as to avoid disruptions when upgrading from 6.3.Z or
6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface
incompatibly.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Relase notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@mweinelt mweinelt mentioned this pull request Jul 28, 2021
Closed
@ofborg ofborg bot requested a review from peti July 28, 2021 22:17
@nlewo nlewo merged commit f417e6e into NixOS:master Jul 29, 2021
@github-actions github-actions bot mentioned this pull request Jul 29, 2021
Merged
1 task
@github-actions
Copy link
Contributor

Successfully created backport PR #131923 for release-21.05.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peti peti Awaiting requested review from peti

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mweinelt @nlewo