Critical fix: don't embed NUL in unterminated last IMAP line.

Found by Antoine Levitt.

diff --git a/NEWS b/NEWS
index e41a5682ea594f7baecdf6522c89edea9685f2ef..54d8c0ba20a7f35a5ab3030e8e6458d27b414393 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,18 @@ removed from a 6.4.0 or newer release.)
 
 --------------------------------------------------------------------------------
 
+fetchmail-6.3.21 (not yet released):
+
+# CRITICAL BUG FIX
+* The IMAP client no longer inserts NUL bytes into the last line of a message
+  when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt.
+  As a side effect of the fix, and in order to avoid a full rewrite, fetchmail
+  will now CRLF-terminate the last line fetched through IMAP, even if it is
+  originally not terminated by LF or CRLF. This bears no relevance if your
+  messages end up in mbox, but adds line termination for storages (like Maildir)
+  that do not require that the last line be LF- or CRLF-terminated.
+
+
 fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
 
 # SECURITY BUG FIXES

diff --git a/transact.c b/transact.c
index d1e4f6a9588ea791d7dc65343d529f8e46c235e2..ec8013a516f03d1f66f83bf4af37a65e25ce0708 100644 (file)
--- a/transact.c
+++ b/transact.c
@@ -1435,7 +1435,15 @@ int readbody(int sock, struct query *ctl, flag forward, int len)
         * so we might end truncating messages prematurely.
         */
        if (!protocol->delimited && linelen > len) {
+           /* FIXME: HACK ALERT! This \r\n is only here to make sure the
+            * \n\0 hunt works later on. The \n generated here was not
+            * part of the original message!
+            * The real fix will be to use buffer + length strings,
+            * rather than 0-terminated C strings. */
+           inbufp[len++] = '\r';
+           inbufp[len++] = '\n';
            inbufp[len] = '\0';
+           linelen = len;
        }
 
        len -= linelen;