fetchmail: lost patch: APOP and default fetchsizelimit

Automatically imported from Debian bug report #323027 http://bugs.debian.org/323027

Message-ID: <email address hidden>
Date: Sun, 14 Aug 2005 10:39:04 +0200
From: Arnaud Giersch <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: fetchmail: lost patch: APOP and default fetchsizelimit

Package: fetchmail
Version: 6.2.5-12sarge1
Severity: normal

Hello,

I use APOP authentication to retrieve my mails with fetchmail. Since
last security update, it doesn't work any more when there are several
mails to fetch:

  fetchmail: 4 messages for XXX at XXX (3180 octets).
  fetchmail: cannot get a range of message sizes (1-4).
  fetchmail: client/server protocol error while fetching from XXX
  fetchmail: Query status=4 (PROTOCOL)

A workaround is to add "fetchsizelimit 1" in the procmailrc
configuration file.

A quick diff between fetchmail-6.2.5-12 and fetchmail-6.2.5-12sarge1
shows that the following patch was lost between the two releases:

diff -Naur fetchmail-6.2.5-12/driver.c fetchmail-6.2.5-12sarge1/driver.c
--- fetchmail-6.2.5-12/driver.c 2005-08-14 00:29:02.000000000 +0200
+++ fetchmail-6.2.5-12sarge1/driver.c 2005-08-14 00:29:23.000000000 +0200
@@ -426,11 +426,8 @@
        /* for POP3, we can get the size of one mail only! Unfortunately, this
         * protocol specific test cannot be done elsewhere as the protocol
         * could be "auto". */
- switch (ctl->server.protocol)
- {
- case P_POP3: case P_APOP: case P_RPOP:
+ if (ctl->server.protocol == P_POP3)
            fetchsizelimit = 1;
- }

        /* Time to allocate memory to store the sizes */
        xalloca(msgsizes, int *, sizeof(int) * fetchsizelimit);

Regards,

        Arnaud

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages fetchmail depends on:
ii adduser 3.63 Add and remove users and groups
ii base-files 3.1.2 Debian base system miscellaneous f
ii debconf 1.4.30.13 Debian configuration management sy
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries

-- no debconf information

Message-ID: <email address hidden>
Date: Wed, 31 Aug 2005 16:07:23 +0200
From: Kai Steverding <email address hidden>
To: <email address hidden>
Subject: Please Update the severity

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The fetchmail paket is almost unusable in APOP mode without setting
"fetchlimit 1". If it isn't so easy to change the .fetchmailrc for some
reason there is no way to get your mails via APOP.

Please set the severity to important or even grave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDFbmbaoKL0dhmIeERAhKiAJ9vDmohA/bb/3+KLYp1lD149XEdcwCeOV/s
Sy6gP/ZhdhRT7iEvF4y2fNo=
=dq1+
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Wed, 31 Aug 2005 16:20:00 +0200
From: Kai Steverding <email address hidden>
To: <email address hidden>
Subject: Bug 323027

severity 323027 important

Message-ID: <email address hidden>
Date: Mon, 12 Sep 2005 23:30:58 +0200
From: Nico Golde <email address hidden>
To: Claudio =?iso-8859-1?Q?Andr=E9?= Till Clemens <email address hidden>,
        <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#327893: fetchmail: Fetchmail 6.2.5-12sarge1 hast broken APOP. Query status=4
 (PROTOCOL)

--M/SuVGWktc5uNpra
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

merge 323027 327893
* Claudio Andr=E9 Till Clemens <email address hidden> [2005-09-12 23:08]:
> Package: fetchmail
> Version: 6.2.5-12sarge1
> Severity: important
>=20
> I'm having now problems with the security version of fetchmail,
> 6.2.5-12sarge1. The previous version (6.2.5-12) was working perfectly.
> The problem seems to come only with APOP as Protocol, and only if there
> is more than one messages in the pool. When I change to POP3 it works
> again, but that is not an option. fetchmail claims it is allways a
> protocol error.

Yes it seems like the new version made by the security team=20
lost its support for apop :(

> Here the output of fetchmail -vvvvv:
[...]=20
> I'll try then the version for sid (6.3.5-18). Maybe there is no problem
> with unstable :).

Yes that would be nice, since I am not using apop. Please=20
report if it works so if it does we can provide a fixed=20
package.
Regards Nico

--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org=20
VIM has two modes - the one in which it beeps=20
and the one in which it doesn't -- encrypted mail preferred

--M/SuVGWktc5uNpra
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJfOSHYflSXNkfP8RAhzaAJwKWJrEPxCqzb8juqos49drMwjxTgCfXhZ0
v0g3GSIU3RD7f7nn3YC+jro=
=fSIx
-----END PGP SIGNATURE-----

--M/SuVGWktc5uNpra--

Message-ID: <email address hidden>
Date: Sat, 29 Oct 2005 15:31:20 +0200
From: <email address hidden> (Matthias Andree)
To: <email address hidden>

tags 323027 + grave

Message-ID: <email address hidden>
Date: Sat, 29 Oct 2005 15:54:40 +0200
From: <email address hidden> (Matthias Andree)
To: <email address hidden>

severity 323027 grave

*** Bug 24759 has been marked as a duplicate of this bug. ***

Message-ID: <email address hidden>
Date: Sat, 5 Nov 2005 13:10:13 +0100
From: Nico Golde <email address hidden>
To: <email address hidden>
Subject: merging #327893 #323027

--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

merge 327893 323027
# Hi,
# the APOP problem is pretty much the same so I merge the=20
# bugs.

--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!

--dDRMvlgZJXvWKvBx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbKEkHYflSXNkfP8RAiOKAJ9vUK88W8nCLDrU1x/2I8O5ONFVhgCdG0k/
F94CevuGykWb/e3PH1C37WU=
=m4wl
-----END PGP SIGNATURE-----

--dDRMvlgZJXvWKvBx--

Message-ID: <email address hidden>
Date: Mon, 14 Nov 2005 21:06:47 +0100
From: Nico Golde <email address hidden>
To: Loic Minier <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#323027: IMPORTANT: fetchmail regression in 6.2.5-12sarge1

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,
* Loic Minier <email address hidden> [2005-11-14 20:56]:
> While preparing a fix for CVE-2005-3088 (#336096), the Debian bugs
> #323027 and #327893 were brought to my attention. It seems to me other
> quality fixes were included in the 6.2.5-12sarge1 version, basically
> including parts of the upstream "6.2.5.2" stable release and causing
> new bugs to appear; I believe this is far too much changes for a
> security upload.

What do you think exactly? The changes from 6.2.5.2 fixed=20
CVE-2005-2335, Steve Kemp prepared the fixed package.
But you are right it seems that some things are broken, for=20
example the apop support.

> I attach "fetchmail_6.2.5-12sarge1.diff", the interdiff between
> 6.2.5-12 and 6.2.5-12sarge1, for you to recheck you want to include it
> completely. My understanding is that the patch in
> "fetchmail_CAN-2005-2335.diff" would have been enough for sarge1.

yes

> Since I'm preparing sarge2, I propose I revert the changes of sarge1,
> except for "fetchmail_CAN-2005-2335.diff", and fix CVE-2005-3088 with
> the patch I've already sent you. I can also prepare a stable upload
> based on sarge2 with more fixes (possibly all) from the stable upstream
> release 6.2.5.4.
>=20
> Please let me know rapidly whether this suits you.

[...]=20
Ok with me.
Regards Nico
--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDeO5XHYflSXNkfP8RAityAKCtNvc5wtNLGP9h72VV0KAMjb7c8QCdEIIs
YWJ9VejYWl9MkDwbw13Eaiw=
=FCgx
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--

Message-ID: <email address hidden>
Date: Tue, 15 Nov 2005 09:17:26 +0100
From: Loic Minier <email address hidden>
To: Nico Golde <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#323027: IMPORTANT: fetchmail regression in 6.2.5-12sarge1

On Mon, Nov 14, 2005, Nico Golde wrote:
> What do you think exactly? The changes from 6.2.5.2 fixed=20
> CVE-2005-2335, Steve Kemp prepared the fixed package.
> But you are right it seems that some things are broken, for=20
> example the apop support.

 I think the changes in 6.2.5.2 included a fix for CVE-2005-2335, and
 only this fix should have been uploaded.

 Now that sarge2 is already on the tracks, I propose to prepare a sarge3
 with everything from sarge1 reverted and fetchmail_CAN-2005-2335.diff
 applied instead (along with patch.CVE-2005-3088.fetchmail of course).

 Security team, please ack the proposed changes.

 Alternatively, we could live with the regression and I could prepare a
 stable upload with all fixes from 6.2.5.4.

   Bye,
--=20
Lo=EFc Minier <email address hidden>

We only applied the minimal patch, so this does not affect us.

Message-ID: <email address hidden>
Date: Mon, 21 Nov 2005 08:56:58 +0100
From: Nico Golde <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: APOP support

--bp/iNruPH9dso1Pn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,
can you check if it the APOP support is working with the=20
latest version in sarge(sarge3)?
Regards Nico

--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!

--bp/iNruPH9dso1Pn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgX3KHYflSXNkfP8RAkocAKCfVt+77TpBa58cEteoYqVnYgb0SACgoKBf
B7NDapOWlwFj7Vek/Tz9kS8=
=JfVZ
-----END PGP SIGNATURE-----

--bp/iNruPH9dso1Pn--

Message-Id: <email address hidden>
Date: Mon, 09 Jan 2006 11:11:49 +0100
From: =?ISO-8859-1?Q?H=E9ctor_Garc=EDa?= <email address hidden>
To: <email address hidden>
Subject:

--=-98I7cJjDy2fdsNn/jP62
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

merge 323027 327893
thanks

--=-98I7cJjDy2fdsNn/jP62
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBDwjblMwsDi2xjdG0RAkhmAKC5dx71PMbyuzEfU4GnnqyjocJQcwCfaHHq
3Dh+mlfWAKAI+wCyU/f8oMA=
=++8S
-----END PGP SIGNATURE-----

--=-98I7cJjDy2fdsNn/jP62--

Message-Id: <email address hidden>
Date: Mon, 09 Jan 2006 11:43:49 +0100
From: =?ISO-8859-1?Q?H=E9ctor_Garc=EDa?= <email address hidden>
To: <email address hidden>
Subject: Closing fixed bug

--=-8tQ07ymOgHtoVIm0H2jn
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

This bug was fixed on version 6.2.5-12sarge3 uploaded by the security
team.

Thanks for reporting bugs,

H=C3=A9ctor

--=-8tQ07ymOgHtoVIm0H2jn
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBDwj5lMwsDi2xjdG0RAtIzAKCuyPj1Q2gBrAQ/lleyu8IbdMwi1gCfWPLl
TjTGBmQhy1JZ9kCCBlD0qmo=
=O47k
-----END PGP SIGNATURE-----

--=-8tQ07ymOgHtoVIm0H2jn--