Matthias Andree [Fri, 17 Jun 2011 01:11:39 +0000 (03:11 +0200)]
Fix mimedecode last-line omission.
The mimedecode feature failed to ship the last line of the body if it
was encoded as quoted-printable and had a MIME soft line break in the
very last line. Reported by Lars Hecking in June 2011.
Bug introduced on 1998-03-20 when the mimedecode support was added by
ESR before release 4.4.1 through code contributed by Henrik Storner,
in driver.c.
Workaround for older releases: do not use mimedecode feature.
John Beck [Mon, 18 Feb 2013 22:25:01 +0000 (23:25 +0100)]
Minor bug fixes for socket.c
While running a static code analysis tool (Parfait) on fetchmail, it found some
bugs:
Error: Memory leak (CWE 401)
Memory leak of pointer 'plugin_copy' allocated with malloc((plugin_copy_len + 1))
at line 137 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'parse_plugin'.
'plugin_copy' allocated at line 107 with malloc((plugin_copy_len + 1)).
plugin_copy leaks when plugin_copy_offset >= plugin_copy_len at line 114.
Error: Null pointer dereference (CWE 476)
Read from null pointer 'argvec'
at line 189 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
at line 190 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
(I realize these are on 6.3.22; I checked and verified that this portion of
the code is the same in 6.3.24.)
The attached patch fixes each of these.
(Note by Matthias Andree:
The NULL pointer dereference fix does not require error reporting,
because parse_plugin() will already have reported the out-of-memory
error that causes the NULL to be returned.)
Matthias Andree [Wed, 6 Feb 2013 21:25:42 +0000 (22:25 +0100)]
Improve X.509 certificate validation reporting.
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
Matthias Andree [Sun, 3 Feb 2013 14:54:58 +0000 (15:54 +0100)]
Work around systems returning obsolete EAI_NODATA.
Older systems that provide the older RFC-2553 implementation of
getaddrinfo, rather than the current RFC-3493, and systems that do not
provide this getaddrinfo() interface at all and thus use the replacement
functions from libesmtp/getaddrinfo.?, might return EAI_NODATA when a
host is registered in DNS as MX or similar, but without A or AAAA
records. Handle this situation when checking for multidrop aliases and
treat EAI_NODATA the same as EAI_NONAME, i. e. name cannot be resolved.
The proper fix, however, is to upgrade the operating system.
Matthias Andree [Sun, 23 Dec 2012 15:45:59 +0000 (16:45 +0100)]
Remove LSM-related stuff from the distribution.
IBiblio no longer accepts submissions, and considers itself an archive.
There is no point in our carrying forward any related material, if
needed for reference purposes, it can be fetched from older versions in
the Git repository.
Matthias Andree [Thu, 13 Dec 2012 22:44:37 +0000 (23:44 +0100)]
Plug a memory leak in OpenSSL's certificate verification callback.
This would affect fetchmail configurations running with SSL in daemon mode
more than one-shot runs.
Reported by Erik Thiele, and pinned by Dominik, Debian Bug #688015.
This bug was introduced into fetchmail 6.2.9 (committed 2005-10-29)
when support for subjectAltName was added through a patch by Roland
Stigge, submitted as Debian Bug#201113.
scenario: you want to remote-control fetchmail, but you don't want to write
passwords into files, so you feed fetchmail a minimal rcfile via stdin with -f
-. this by itself works fine. if you also want or need to use a --plugin (eg.
socat for socks), then things fail badly: the plugin is run without a stdin fd,
hence can't take input from fetchmail, lots of fun ensues. plugins without -f
- work fine, it's just the combination that fails.
explanation: the root cause is rcfile_y.y, line 493, which closes whatever fd
carried the rcfile. with -f - this closes fetchmail's stdin - and so far that's
unproblematic. however, in socket.c lines 166ff things go wrong: fetchmail
sets up the plugin with a socketpair, which will likely include the first
unused fd - and fd zero is now indeed unused. in line 180ff a dup2 replumbing
from "that fd" (=zero) to zero is performed - and then "that fd" is closed.
and hey presto, we've got no fd zero = stdin for the plugin.
solution: the simplest solution (patch attached) is to make the fclose of the
rcfile conditional, ie. don't close if it's stdin. in the long run the
dup2+close code might be made more robust by not doing a dup2+close if fd[0] is
already 0 or 1.
Older implementations of OpenSSL do not support SSL_CTX_clear_options().
This patch reworks the previous change to avoid the use of
SL_CTX_clear_options() and instead clears the corresponding bit in
SSL_OP_ALL before calling SSL_CTX_set_options().
Matthias Andree [Fri, 17 Aug 2012 16:15:02 +0000 (18:15 +0200)]
Fix installation when PYTHON is enabled.
The Python-related Makefile.am parts were simplified to avoid an
automake 1.11.X bug around noinst_PYTHON, Automake Bug #10995.
http://lists.gnu.org/archive/html/automake-patches/2012-03/txtbYNp7SPawU.txt
Matthias Andree [Wed, 15 Aug 2012 21:41:03 +0000 (23:41 +0200)]
GSSAPI build fix.
The GSSAPI-related autoconf code now matches gssapi.c better, and uses
a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
Matthias Andree [Mon, 13 Aug 2012 18:48:12 +0000 (20:48 +0200)]
Fix crash: Handle invalid base64 in NTLM challenge.
Some servers, for instance the MS Exchange servers deployed by the
US-American National Aeronautics and Space Administration (NASA),
aborted the NTLM protocol exchange after receiving the initial request.
Fetchmail did not detect that there was an error message, rather than
NTLM protocol exchange, and caught a segmentation fault while reading
from a bad location.
Detect base64 decoding errors, and return PS_AUTHFAIL in this case.
Matthias Andree [Tue, 25 Oct 2011 22:30:32 +0000 (00:30 +0200)]
Fix build on SSLv2-disabled OpenSSL setups
On systems where SSLv2_client_method isn't defined in OpenSSL (such as newer
Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't reference it (to
fix the build) and print a run-time error that the OS does not support SSLv2.
Fixes Debian Bug #622054, but note that that bug report has a more thorough
patch that does away with SSLv2 altogether.