Fix CVE-2011-1947
This commit is contained in:
Vitezslav Crhonek
parent
c63bd75345
commit
6185e3d2fc
76
fetchmail-6.3.19-cve-2011-1947.patch
Normal file
76
fetchmail-6.3.19-cve-2011-1947.patch
Normal file
@ -0,0 +1,76 @@
|
||||
commit 7dc67b8cf06f74aa57525279940e180c99701314
|
||||
Author: Matthias Andree <matthias.andree@gmx.de>
|
||||
Date: Thu May 26 01:47:41 2011 +0200
|
||||
|
||||
Run S(TART)TLS negotiation under timeout alarm.
|
||||
|
||||
Reported missing by Thomas Jarosch.
|
||||
|
||||
diff --git a/imap.c b/imap.c
|
||||
index dca3bab..397b391 100644
|
||||
--- a/imap.c
|
||||
+++ b/imap.c
|
||||
@@ -447,9 +447,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
|
||||
* whether TLS is mandatory or opportunistic unless SSLOpen() fails
|
||||
* (see below). */
|
||||
if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
|
||||
- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
|
||||
- ctl->server.pollname, &ctl->remotename) != -1)
|
||||
+ ctl->server.pollname, &ctl->remotename)) != -1)
|
||||
{
|
||||
/*
|
||||
* RFC 2595 says this:
|
||||
@@ -473,9 +473,11 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
|
||||
} else if (must_tls(ctl)) {
|
||||
/* Config required TLS but we couldn't guarantee it, so we must
|
||||
* stop. */
|
||||
+ set_timeout(0);
|
||||
report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
|
||||
return PS_SOCKET;
|
||||
} else {
|
||||
+ set_timeout(0);
|
||||
if (outlevel >= O_VERBOSE) {
|
||||
report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue\n"), commonname);
|
||||
}
|
||||
diff --git a/pop3.c b/pop3.c
|
||||
index 3def391..9cf8494 100644
|
||||
--- a/pop3.c
|
||||
+++ b/pop3.c
|
||||
@@ -448,9 +448,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||
* whether TLS is mandatory or opportunistic unless SSLOpen() fails
|
||||
* (see below). */
|
||||
if (gen_transact(sock, "STLS") == PS_SUCCESS
|
||||
- && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
|
||||
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
|
||||
- ctl->server.pollname, &ctl->remotename) != -1)
|
||||
+ ctl->server.pollname, &ctl->remotename)) != -1)
|
||||
{
|
||||
/*
|
||||
* RFC 2595 says this:
|
||||
@@ -465,6 +465,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||
* Now that we're confident in our TLS connection we can
|
||||
* guarantee a secure capability re-probe.
|
||||
*/
|
||||
+ set_timeout(0);
|
||||
done_capa = FALSE;
|
||||
ok = capa_probe(sock);
|
||||
if (ok != PS_SUCCESS) {
|
||||
@@ -477,6 +478,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||
} else if (must_tls(ctl)) {
|
||||
/* Config required TLS but we couldn't guarantee it, so we must
|
||||
* stop. */
|
||||
+ set_timeout(0);
|
||||
report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
|
||||
return PS_SOCKET;
|
||||
} else {
|
||||
@@ -485,6 +487,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
|
||||
* allowed til post-authentication), so leave it in an unknown
|
||||
* state, mark it as such, and check more carefully if things
|
||||
* go wrong when we try to authenticate. */
|
||||
+ set_timeout(0);
|
||||
connection_may_have_tls_errors = TRUE;
|
||||
if (outlevel >= O_VERBOSE)
|
||||
{
|
||||
@ -4,9 +4,10 @@
|
||||
Summary: A remote mail retrieval and forwarding utility
|
||||
Name: fetchmail
|
||||
Version: 6.3.19
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz
|
||||
Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc
|
||||
Patch0: fetchmail-6.3.19-cve-2011-1947.patch
|
||||
URL: http://fetchmail.berlios.de/
|
||||
# For a breakdown of the licensing, see COPYING
|
||||
License: GPL+ and Public Domain
|
||||
@ -44,6 +45,7 @@ need to have Python and Tk installed in order to use fetchmailconf.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .cve-2011-1947
|
||||
|
||||
%build
|
||||
%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \
|
||||
@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jun 02 2011 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.19-5
|
||||
- Fix CVE-2011-1947
|
||||
|
||||
* Mon Mar 07 2011 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.19-4
|
||||
- Remove server(smtp) dependency
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user