Fix CVE-2011-1947
This commit is contained in:
Vitezslav Crhonek
parent
c63bd75345
commit
6185e3d2fc
76
fetchmail-6.3.19-cve-2011-1947.patch
Normal file
76
fetchmail-6.3.19-cve-2011-1947.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
commit 7dc67b8cf06f74aa57525279940e180c99701314
|
||||||
|
Author: Matthias Andree <matthias.andree@gmx.de>
|
||||||
|
Date: Thu May 26 01:47:41 2011 +0200
|
||||||
|
|
||||||
|
Run S(TART)TLS negotiation under timeout alarm.
|
||||||
|
|
||||||
|
Reported missing by Thomas Jarosch.
|
||||||
|
|
||||||
|
diff --git a/imap.c b/imap.c
|
||||||
|
index dca3bab..397b391 100644
|
||||||
|
--- a/imap.c
|
||||||
|
+++ b/imap.c
|
||||||
|
@@ -447,9 +447,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
* whether TLS is mandatory or opportunistic unless SSLOpen() fails
|
||||||
|
* (see below). */
|
||||||
|
if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
|
||||||
|
- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||||
|
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||||
|
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
|
||||||
|
- ctl->server.pollname, &ctl->remotename) != -1)
|
||||||
|
+ ctl->server.pollname, &ctl->remotename)) != -1)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* RFC 2595 says this:
|
||||||
|
@@ -473,9 +473,11 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
} else if (must_tls(ctl)) {
|
||||||
|
/* Config required TLS but we couldn't guarantee it, so we must
|
||||||
|
* stop. */
|
||||||
|
+ set_timeout(0);
|
||||||
|
report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
|
||||||
|
return PS_SOCKET;
|
||||||
|
} else {
|
||||||
|
+ set_timeout(0);
|
||||||
|
if (outlevel >= O_VERBOSE) {
|
||||||
|
report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue\n"), commonname);
|
||||||
|
}
|
||||||
|
diff --git a/pop3.c b/pop3.c
|
||||||
|
index 3def391..9cf8494 100644
|
||||||
|
--- a/pop3.c
|
||||||
|
+++ b/pop3.c
|
||||||
|
@@ -448,9 +448,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
* whether TLS is mandatory or opportunistic unless SSLOpen() fails
|
||||||
|
* (see below). */
|
||||||
|
if (gen_transact(sock, "STLS") == PS_SUCCESS
|
||||||
|
- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||||
|
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||||
|
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
|
||||||
|
- ctl->server.pollname, &ctl->remotename) != -1)
|
||||||
|
+ ctl->server.pollname, &ctl->remotename)) != -1)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* RFC 2595 says this:
|
||||||
|
@@ -465,6 +465,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
* Now that we're confident in our TLS connection we can
|
||||||
|
* guarantee a secure capability re-probe.
|
||||||
|
*/
|
||||||
|
+ set_timeout(0);
|
||||||
|
done_capa = FALSE;
|
||||||
|
ok = capa_probe(sock);
|
||||||
|
if (ok != PS_SUCCESS) {
|
||||||
|
@@ -477,6 +478,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
} else if (must_tls(ctl)) {
|
||||||
|
/* Config required TLS but we couldn't guarantee it, so we must
|
||||||
|
* stop. */
|
||||||
|
+ set_timeout(0);
|
||||||
|
report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
|
||||||
|
return PS_SOCKET;
|
||||||
|
} else {
|
||||||
|
@@ -485,6 +487,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||||
|
* allowed til post-authentication), so leave it in an unknown
|
||||||
|
* state, mark it as such, and check more carefully if things
|
||||||
|
* go wrong when we try to authenticate. */
|
||||||
|
+ set_timeout(0);
|
||||||
|
connection_may_have_tls_errors = TRUE;
|
||||||
|
if (outlevel >= O_VERBOSE)
|
||||||
|
{
|
||||||
@ -4,9 +4,10 @@
|
|||||||
Summary: A remote mail retrieval and forwarding utility
|
Summary: A remote mail retrieval and forwarding utility
|
||||||
Name: fetchmail
|
Name: fetchmail
|
||||||
Version: 6.3.19
|
Version: 6.3.19
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz
|
Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz
|
||||||
Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc
|
Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc
|
||||||
|
Patch0: fetchmail-6.3.19-cve-2011-1947.patch
|
||||||
URL: http://fetchmail.berlios.de/
|
URL: http://fetchmail.berlios.de/
|
||||||
# For a breakdown of the licensing, see COPYING
|
# For a breakdown of the licensing, see COPYING
|
||||||
License: GPL+ and Public Domain
|
License: GPL+ and Public Domain
|
||||||
@ -44,6 +45,7 @@ need to have Python and Tk installed in order to use fetchmailconf.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch0 -p1 -b .cve-2011-1947
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
|
%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
|
||||||
@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 02 2011 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.19-5
|
||||||
|
- Fix CVE-2011-1947
|
||||||
|
|
||||||
* Mon Mar 07 2011 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.19-4
|
* Mon Mar 07 2011 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.19-4
|
||||||
- Remove server(smtp) dependency
|
- Remove server(smtp) dependency
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user