Fix one more CVE-2008-2711 va_start() messup. Found by Petr Uzel.

Bump release to -rc2.

svn path=/branches/BRANCH_6-3/; revision=5205

diff --git a/NEWS b/NEWS
index d326c5a66b447715b355adac87669b3acb0ac9ad..415e96ddaea230222c925008fd6e466053f5498c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,8 @@ fetchmail 6.3.9 (not yet released):
   random memory location (it calls va_arg() too often without
   resetting it with va_start()). Based on a patch (BerliOS patch #2492)
   by Petr Uzel, fixes Novell Bug #354291.
+  Note 6.3.9-rc1 did not completely fix this issue, so it was redrawn a few 
+  hours after its release.
   See also fetchmail-SA-2008-01.txt.
 * When expunging, mark the right messages as seen to avoid message loss in "keep
   flush" configurations.  Workaround for previous versions: "expunge 0".

diff --git a/configure.ac b/configure.ac
index f972b547e9ef958b30d35c8eaf0e1510adc2fa09..7364a2fa7d1de4be22bd86f8ca93ecf151401beb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@ dnl Autoconfigure input file for fetchmail
 dnl Process this file with autoconf to produce a configure script.
 dnl
 
-AC_INIT([fetchmail],[6.3.9-rc1],[fetchmail-users@lists.berlios.de])
+AC_INIT([fetchmail],[6.3.9-rc2],[fetchmail-users@lists.berlios.de])
 AC_CONFIG_SRCDIR([fetchmail.h])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_LIBOBJ_DIR([.])
@@ -61,6 +61,9 @@ AC_CHECK_HEADERS([unistd.h termios.h termio.h sgtty.h stdarg.h \
        sys/itimer.h fcntl.h sys/fcntl.h memory.h sys/wait.h \
        arpa/inet.h arpa/nameser.h netinet/in.h net/socket.h netdb.h \
        sys/select.h sys/socket.h sys/time.h langinfo.h])
+if test _$ac_cv_header_stdarg_h != _yes ; then
+AC_MSG_WARN([stdarg.h is not defined. Unsupported configuration, proceed at your own risk.])
+fi
 AC_CHECK_TYPE(u_int32_t,,
        AC_DEFINE(u_int32_t,unsigned int,
                [Define to unsigned int if <sys/types.h> does not define.]),

diff --git a/fetchmail-SA-2008-01.txt b/fetchmail-SA-2008-01.txt
index 18e330e7843e42b36daae0fd410e5adda6f56826..40d2dd1afb393457548091e40c3766f9c441df71 100644 (file)
--- a/fetchmail-SA-2008-01.txt
+++ b/fetchmail-SA-2008-01.txt
@@ -6,7 +6,7 @@ fetchmail-SA-2008-01: Crash on large log messages in verbose mode
 Topics:                Crash in large log messages in verbose mode.
 
 Author:                Matthias Andree
-Version:       1.1
+Version:       1.2
 Announced:     2008-06-17
 Type:          Dereferencing garbage pointer triggered by outside circumstances
 Impact:                denial of service possible
@@ -18,12 +18,14 @@ CVE Name:   CVE-2008-2711
 URL:           http://www.fetchmail.info/fetchmail-SA-2008-01.txt
 Project URL:   http://www.fetchmail.info/
 
-Affects:       fetchmail release < 6.3.9 exclusively
+Affects:       fetchmail release before and excluding 6.3.9
+               fetchmail release candidate 6.3.9-rc1
 
 Not affected:  fetchmail release 6.3.9 and newer
-               systems without varargs (stdargs.h) support.
+               fetchmail release candidate 6.3.9-rc2 and newer
+               systems without varargs support.
 
-Corrected:     2008-06-13 fetchmail SVN (rev 5193)
+Corrected:     2008-06-24 fetchmail SVN (rev 5205)
 
 References:    <https://bugzilla.novell.com/show_bug.cgi?id=354291>
                <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
@@ -36,6 +38,7 @@ References:   <https://bugzilla.novell.com/show_bug.cgi?id=354291>
                posted to oss-security)
 2008-06-17 1.0 published on http://www.fetchmail.info/
 2008-06-17 1.1 Corrected typo in Type: above (trigged -> triggered)
+2008-06-24 1.2  also fixed issue in report_complete (reported by Petr Uzel)
 
 
 1. Background
@@ -116,31 +119,38 @@ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
 Use the information herein at your own risk.
 
 
-
 B. Patch to remedy the problem
 ==============================
 
+Note that when taking this from a GnuPG clearsigned file, the lines 
+starting with a "-" character are prefixed by another "- " (dash + 
+blank) combination. Either feed this file through GnuPG to strip them, 
+or strip them manually.
+
+Whitespace differences can usually be ignored by invoking "patch -l",
+so try this if the patch does not apply.
+
 diff --git a/report.c b/report.c
-index 31d4e48..2a731ac 100644
+index 31d4e48..320e60b 100644
 - --- a/report.c
 +++ b/report.c
 @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
      rep_ensuresize();
-
+ 
  #if defined(VA_START)
 - -    VA_START (args, message);
      for ( ; ; )
      {
 +      /*
-+       * args has to be initialized before every call of vsnprintf(),
-+       * because vsnprintf() invokes va_arg macro and thus args is
++       * args has to be initialized before every call of vsnprintf(), 
++       * because vsnprintf() invokes va_arg macro and thus args is 
 +       * undefined after the call.
 +       */
 +      VA_START(args, message);
        n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
                       message, args);
 +      va_end (args);
-
+ 
        if (n >= 0
            && (unsigned)n < partial_message_size - partial_message_size_used)
 @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
@@ -151,12 +161,35 @@ index 31d4e48..2a731ac 100644
  #else
      for ( ; ; )
      {
+@@ -304,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist)
+     rep_ensuresize();
+ 
+ #if defined(VA_START)
+- -    VA_START (args, message);
+     for ( ; ; )
+     {
++      VA_START(args, message);
+       n = vsnprintf (partial_message + partial_message_size_used,
+                      partial_message_size - partial_message_size_used,
+                      message, args);
++      va_end(args);
+ 
+       /* old glibc versions return -1 for truncation */
+       if (n >= 0
+@@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist)
+       partial_message_size += 2048;
+       partial_message = REALLOC (partial_message, partial_message_size);
+     }
+- -    va_end (args);
+ #else
+     for ( ; ; )
+     {
 
 END OF fetchmail-SA-2008-01.txt
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 
-iD8DBQFIV7e+vmGDOQUufZURAiAUAKCG1pBXEdVJPUr4WeIZXAr01jshkwCgvfb8
-6qqG2gZonX24W58gBEQ7Pjw=
-=vwYl
+iD8DBQFIYPBuvmGDOQUufZURAuj8AJ9IbN/UMcML6NLKSI0keQzGVGzZSQCg+UCP
+tUVNigLK8Xz40J2Eg7PD8Xs=
+=HAmn
 -----END PGP SIGNATURE-----

diff --git a/report.c b/report.c
index 2a731acb91bf49fb76be0213b1557f236ac01d49..320e60be8828b062f29e6ce5cbddccc128bcf855 100644 (file)
--- a/report.c
+++ b/report.c
@@ -309,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist)
     rep_ensuresize();
 
 #if defined(VA_START)
-    VA_START (args, message);
     for ( ; ; )
     {
+       VA_START(args, message);
        n = vsnprintf (partial_message + partial_message_size_used,
                       partial_message_size - partial_message_size_used,
                       message, args);
+       va_end(args);
 
        /* old glibc versions return -1 for truncation */
        if (n >= 0
@@ -327,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist)
        partial_message_size += 2048;
        partial_message = REALLOC (partial_message, partial_message_size);
     }
-    va_end (args);
 #else
     for ( ; ; )
     {