security update to 6.3.14, heap overflow in verbose mode SSL cert display

on signed char arch. http://www.fetchmail.info/fetchmail-SA-2010-01.txt "This might be exploitable to inject code if - - fetchmail is run in verbose mode AND - - the host running fetchmail considers char signed AND - - the server uses malicious certificates with non-printing characters that have the high bit set AND - - these certificates manage to inject shell-code that consists purely of printable characters. It is believed to be difficult to achieve all this."
2010-03-22 01:28:40 +00:00 · 2010-03-22 01:28:40 +00:00 · 3927255cfd
commit 3927255cfd
parent b11b8e9f9f
4 changed files with 16 additions and 16 deletions
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.118 2009/11/02 19:47:49 sthen Exp $
+# $OpenBSD: Makefile,v 1.119 2010/03/22 01:28:40 sthen Exp $

 COMMENT=	mail retrieval utility for POP2, POP3, KPOP, IMAP and more

-DISTNAME=	fetchmail-6.3.13
+DISTNAME=	fetchmail-6.3.14
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_BERLIOS:=fetchmail/}

--- a/mail/fetchmail/distinfo
+++ b/mail/fetchmail/distinfo
@ -1,5 +1,5 @@
-MD5 (fetchmail-6.3.13.tar.bz2) = 23kvsxG8NY6V7QQ3OJJprA==
-RMD160 (fetchmail-6.3.13.tar.bz2) = dGgyXzsrA6RxdbNyg5PMRA06mOY=
-SHA1 (fetchmail-6.3.13.tar.bz2) = kwzzquVBCFcrHGlcdd0Uz4ZfXRY=
-SHA256 (fetchmail-6.3.13.tar.bz2) = IGopn3ztnXNZYhzI5ZCiL5z8nHE2lkdOIRmhNAwumO4=
-SIZE (fetchmail-6.3.13.tar.bz2) = 1614718
+MD5 (fetchmail-6.3.14.tar.bz2) = htPPvOFRiB2L92oe/Vvaag==
+RMD160 (fetchmail-6.3.14.tar.bz2) = YgAXZN6tUqZs3sI5IJST8VA/45c=
+SHA1 (fetchmail-6.3.14.tar.bz2) = K8GPEh1bmeIlhJcMb4tiu2VDDEw=
+SHA256 (fetchmail-6.3.14.tar.bz2) = hlf3hvWvGFfds7UCA+bN4u+tQ/SYKJc8uyL21DEghgc=
+SIZE (fetchmail-6.3.14.tar.bz2) = 1621188
--- a/mail/fetchmail/patches/patch-Makefile_in
+++ b/mail/fetchmail/patches/patch-Makefile_in
@ -1,7 +1,7 @@
-$OpenBSD: patch-Makefile_in,v 1.13 2009/11/02 19:47:49 sthen Exp $
--- Makefile.in.orig	Fri Oct 30 02:09:45 2009
-+++ Makefile.in	Sun Nov  1 14:33:42 2009
-@@ -1425,7 +1425,7 @@ info: info-recursive
+$OpenBSD: patch-Makefile_in,v 1.14 2010/03/22 01:28:40 sthen Exp $
+--- Makefile.in.orig	Thu Feb  4 13:53:19 2010
+++ Makefile.in	Mon Mar 22 01:21:42 2010
+@@ -1567,7 +1567,7 @@ info: info-recursive
 
 info-am:
 
--- a/mail/fetchmail/patches/patch-configure
+++ b/mail/fetchmail/patches/patch-configure
@ -1,7 +1,7 @@
-$OpenBSD: patch-configure,v 1.14 2009/10/11 20:52:17 sthen Exp $
--- configure.orig	Sun Oct 11 20:56:53 2009
-+++ configure	Sun Oct 11 22:37:47 2009
-@@ -8275,7 +8275,7 @@ $as_echo "$ac_try_echo") >&5
+$OpenBSD: patch-configure,v 1.15 2010/03/22 01:28:40 sthen Exp $
+--- configure.orig	Thu Feb  4 23:34:35 2010
+++ configure	Mon Mar 22 01:21:42 2010
+@@ -8358,7 +8358,7 @@ $as_echo "$ac_try_echo") >&5
 	 test "$cross_compiling" = yes ||
 	 $as_test_x conftest$ac_exeext
        }; then
@ -10,7 +10,7 @@ $OpenBSD: patch-configure,v 1.14 2009/10/11 20:52:17 sthen Exp $
                 LTLIBINTL="$LTLIBINTL $LTLIBICONV"
                 gt_cv_func_gnugettext2_libintl=yes
 
-@@ -12561,7 +12561,7 @@ cat >>confdefs.h <<\_ACEOF
+@@ -12644,7 +12644,7 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
   CFLAGS="$CFLAGS -I/usr/include/kerberosV"