ports/116011: [PATCH] mail/fetchmail: fix CVE-2007-4565 Denial of Service

Matthias Andree matthias.andree at gmx.de
Sun Sep 2 12:20:02 UTC 2007 

>Number:         116011
>Category:       ports
>Synopsis:       [PATCH] mail/fetchmail: fix CVE-2007-4565 Denial of Service
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 02 12:20:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Matthias Andree
>Release:        FreeBSD 6.2-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD rho.emma.line.org 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #1: Fri Aug 31 14:58:52 CEST 2007
>Description:
Add a patch to fix a denial of service vulnerability.

Corresponding VuXML update has been submitted separately,
"Subject: [PATCH] security/vuxml: add CVE-2007-4565 (fetchmail DoS)"
(PR# not yet assigned by GNATS)

This is the official patch from
http://www.fetchmail.info/fetchmail-SA-2007-02.txt

Added file(s):
- files/patch-CVE-2007-4565

Port maintainer (barner at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:

--- fetchmail-6.3.8_4.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/Makefile /usr/home/emma/ports/mail/fetchmail/Makefile
--- /usr/ports/mail/fetchmail/Makefile	Mon Aug 13 16:31:54 2007
+++ /usr/home/emma/ports/mail/fetchmail/Makefile	Sun Sep  2 13:20:51 2007
@@ -11,7 +11,7 @@
 
 PORTNAME=	fetchmail
 PORTVERSION=	6.3.8
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	mail ipv6
 MASTER_SITES=	${MASTER_SITE_BERLIOS} \
 		${MASTER_SITE_SUNSITE:S/$/:sunsite/}\
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-CVE-2007-4565 /usr/home/emma/ports/mail/fetchmail/files/patch-CVE-2007-4565
--- /usr/ports/mail/fetchmail/files/patch-CVE-2007-4565	Thu Jan  1 01:00:00 1970
+++ /usr/home/emma/ports/mail/fetchmail/files/patch-CVE-2007-4565	Sun Sep  2 13:19:35 2007
@@ -0,0 +1,11 @@
+--- sink.c	(revision 5118)
++++ sink.c	(revision 5119)
+@@ -262,7 +262,7 @@
+     const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
+ 
+     /* don't bounce in reply to undeliverable bounces */
+-    if (!msg->return_path[0] ||
++    if (!msg || !msg->return_path[0] ||
+ 	strcmp(msg->return_path, "<>") == 0 ||
+ 	strcasecmp(msg->return_path, md1) == 0 ||
+ 	strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
--- fetchmail-6.3.8_4.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list