From mandree@FreeBSD.org  Wed Aug 29 22:59:20 2012
Return-Path: <mandree@FreeBSD.org>
Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28])
	by hub.freebsd.org (Postfix) with ESMTP id 08801106566C;
	Wed, 29 Aug 2012 22:59:20 +0000 (UTC)
	(envelope-from mandree@FreeBSD.org)
Received: from mandree by apollo.emma.line.org with local (Exim 4.80 (FreeBSD))
	(envelope-from <mandree@FreeBSD.org>)
	id 1T6rDr-000DZ8-Lo; Thu, 30 Aug 2012 00:58:55 +0200
Message-Id: <E1T6rDr-000DZ8-Lo@apollo.emma.line.org>
Date: Thu, 30 Aug 2012 00:58:55 +0200
From: Matthias Andree <mandree@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: chalpin@cs.wisc.edu
Subject: [PATCH] mail/fetchmail: security update to 6.3.22
X-Send-Pr-Version: 3.113
X-GNATS-Notify: chalpin@cs.wisc.edu

>Number:         171177
>Category:       ports
>Synopsis:       [PATCH] mail/fetchmail: security update to 6.3.22
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    mandree
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 29 23:00:17 UTC 2012
>Closed-Date:    Thu Aug 30 06:40:28 UTC 2012
>Last-Modified:  Thu Aug 30 06:40:28 UTC 2012
>Originator:     Matthias Andree
>Release:        FreeBSD 9.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD apollo.emma.line.org 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #4: Wed Aug 29 22:15:30 CEST 2012
>Description:
- Update to 6.3.22

Removed file(s):
- files/patch-CVE-2012-3482

Port maintainer (chalpin@cs.wisc.edu) is cc'd.

Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports)
>How-To-Repeat:
>Fix:

--- fetchmail-6.3.22.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/Makefile ./Makefile
--- /usr/ports/mail/fetchmail/Makefile	2012-08-27 19:44:23.000000000 +0200
+++ ./Makefile	2012-08-30 00:39:39.000000000 +0200
@@ -2,7 +2,7 @@
 # Date created:		25 Feb 2000
 # Whom:			Ville Eerola <ve@sci.fi>
 #
-# $FreeBSD: ports/mail/fetchmail/Makefile,v 1.222 2012/08/27 17:44:23 mandree Exp $
+# $FreeBSD: head/mail/fetchmail/Makefile 303238 2012-08-27 17:44:23Z mandree $
 #
 # NOTE:  The fetchmailconf program (an interactive program for
 # writing .fetchmailrc files) requires Python, Tk, X11, etc..
@@ -11,8 +11,7 @@
 # want fetchmailconf to work, define the X11 option.
 
 PORTNAME=	fetchmail
-PORTVERSION=	6.3.21
-PORTREVISION=	1
+PORTVERSION=	6.3.22
 CATEGORIES=	mail ipv6
 MASTER_SITES=	BERLIOS/${PORTNAME}/ \
 		SF/${PORTNAME}/branch_6.3/ \
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/distinfo ./distinfo
--- /usr/ports/mail/fetchmail/distinfo	2012-02-25 00:56:18.000000000 +0100
+++ ./distinfo	2012-08-30 00:39:42.000000000 +0200
@@ -1,2 +1,2 @@
-SHA256 (fetchmail-6.3.21.tar.xz) = dc1b92666df7bc4d6be3e66654e9894bcaa76527ea99183deabd9e11486e0f82
-SIZE (fetchmail-6.3.21.tar.xz) = 1254704
+SHA256 (fetchmail-6.3.22.tar.xz) = 9ab51a851f79e16258f068e791c39e3e378a99927f70c9635132f4295d70b1a4
+SIZE (fetchmail-6.3.22.tar.xz) = 1260296
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmail.in ./files/fetchmail.in
--- /usr/ports/mail/fetchmail/files/fetchmail.in	2012-01-14 09:55:56.000000000 +0100
+++ ./files/fetchmail.in	2012-07-17 03:36:34.000000000 +0200
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: ports/mail/fetchmail/files/fetchmail.in,v 1.11 2012/01/14 08:55:56 dougb Exp $
+# $FreeBSD$
 #
 
 # PROVIDE: fetchmail
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/fetchmailconf ./files/fetchmailconf
--- /usr/ports/mail/fetchmail/files/fetchmailconf	2005-12-06 22:07:19.000000000 +0100
+++ ./files/fetchmailconf	2012-07-17 03:36:34.000000000 +0200
@@ -3,7 +3,7 @@
 # Wrapper for the real fetchmailconf.  Checks whether Python and Tkinter are
 # installed, and runs the real fetchmailconf or alerts the user, as appropriate.
 #
-# $FreeBSD: ports/mail/fetchmail/files/fetchmailconf,v 1.7 2005/12/06 21:07:19 barner Exp $
+# $FreeBSD$
 
 LOCALBASE=@LOCALBASE@
 
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/files/patch-CVE-2012-3482 ./files/patch-CVE-2012-3482
--- /usr/ports/mail/fetchmail/files/patch-CVE-2012-3482	2012-08-27 19:44:23.000000000 +0200
+++ ./files/patch-CVE-2012-3482	1970-01-01 01:00:00.000000000 +0100
@@ -1,53 +0,0 @@
-diff --git a/ntlm.h b/ntlm.h
-index 1469633..ad83520 100644
---- a/ntlm.h
-+++ b/ntlm.h
-@@ -32,8 +32,8 @@ uint32        msgType;
- tSmbStrHeader    uDomain;
- uint32        flags;
- uint8         challengeData[8];
--uint8         reserved[8];
--tSmbStrHeader    emptyString;
-+uint32        context[2];
-+tSmbStrHeader    targetInfo;
- uint8         buffer[1024];
- uint32        bufIndex;
- }tSmbNtlmAuthChallenge;
-diff --git a/ntlmsubr.c b/ntlmsubr.c
-index f9d2733..63cbed8 100644
---- a/ntlmsubr.c
-+++ b/ntlmsubr.c
-@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
-     if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
- 	goto cancelfail;
- 
--    (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
-+    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
-+	    || result < ((void *)&challenge.context - (void *)&challenge))
-+    {
-+	report (stderr, GT_("could not decode BASE64 challenge\n"));
-+	/* We do not goto cancelfail; the server has already sent the
-+	 * tagged reply, so the protocol exchange has ended, no need
-+	 * for us to send the asterisk. */
-+	return PS_AUTHFAIL;
-+    }
-+
-+    /* validate challenge:
-+     * - ident
-+     * - message type
-+     * - that offset points into buffer
-+     * - that offset + length does not wrap
-+     * - that offset + length is not bigger than buffer */
-+    if (0 != memcmp("NTLMSSP", challenge.ident, 8)
-+	    || challenge.msgType != 2
-+	    || challenge.uDomain.offset > result
-+	    || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
-+	    || challenge.uDomain.offset + challenge.uDomain.len > result)
-+    {
-+	report (stderr, GT_("NTLM challenge contains invalid data.\n"));
-+	result = PS_AUTHFAIL;
-+	goto cancelfail;
-+    }
- 
-     if (outlevel >= O_DEBUG)
- 	dumpSmbNtlmAuthChallenge(stdout, &challenge);
diff -ruN --exclude=CVS /usr/ports/mail/fetchmail/pkg-plist ./pkg-plist
--- /usr/ports/mail/fetchmail/pkg-plist	2011-07-09 12:07:49.000000000 +0200
+++ ./pkg-plist	2012-08-30 00:41:12.000000000 +0200
@@ -1,4 +1,4 @@
-@comment $FreeBSD: ports/mail/fetchmail/pkg-plist,v 1.30 2011/07/09 10:07:49 crees Exp $
+@comment $FreeBSD$
 bin/fetchmail
 bin/fetchmailconf
 libexec/fetchmailconf.py
@@ -33,6 +33,7 @@
 %%NLS%%share/locale/ru/LC_MESSAGES/fetchmail.mo
 %%NLS%%share/locale/sk/LC_MESSAGES/fetchmail.mo
 %%NLS%%share/locale/sq/LC_MESSAGES/fetchmail.mo
+%%NLS%%share/locale/sv/LC_MESSAGES/fetchmail.mo
 %%NLS%%share/locale/tr/LC_MESSAGES/fetchmail.mo
 %%NLS%%share/locale/vi/LC_MESSAGES/fetchmail.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/fetchmail.mo
--- fetchmail-6.3.22.patch ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->mandree 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed Aug 29 23:01:07 UTC 2012 
Responsible-Changed-Why:  
Submitter has GNATS access (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171177 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed Aug 29 23:01:12 UTC 2012 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171177 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: chalpin@cs.wisc.edu
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/171177: [PATCH] mail/fetchmail: security update to 6.3.22
Date: Wed, 29 Aug 2012 23:01:10 UT

 Maintainer of mail/fetchmail,
 
 Please note that PR ports/171177 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171177
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org

From: Corey Halpin <chalpin@cs.wisc.edu>
To: bug-followup@FreeBSD.ORG
Cc:  
Subject: Re: ports/171177: [PATCH] mail/fetchmail: security update to 6.3.22
Date: Wed, 29 Aug 2012 20:01:51 -0500

 --UlVJffcvxoiEqYs2
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
   Approve.
 
 On 2012-08-29, Edwin Groothuis wrote:
 > Maintainer of mail/fetchmail,
 >=20
 > Please note that PR ports/171177 has just been submitted.
 >=20
 > If it contains a patch for an upgrade, an enhancement or a bug fix
 > you agree on, reply to this email stating that you approve the patch
 > and a committer will take care of it.
 >=20
 > The full text of the PR can be found at:
 >     http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/171177
 >=20
 > --=20
 > Edwin Groothuis via the GNATS Auto Assign Tool
 > edwin@FreeBSD.org
 >=20
 
 --UlVJffcvxoiEqYs2
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 
 iF4EAREIAAYFAlA+u34ACgkQR8PgTIRJoTX+2AEAo4jJ+f6A5j2qHh0IcaDb1J/v
 Q8QgKBY+i6rMn87PSBEA/2uw4XOGNqbL+NKxSfFJWHkRxGMeKeVoS7uzmS39Mzth
 =d/jq
 -----END PGP SIGNATURE-----
 
 --UlVJffcvxoiEqYs2--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/171177: commit references a PR
Date: Thu, 30 Aug 2012 06:24:59 +0000 (UTC)

 Author: mandree
 Date: Thu Aug 30 06:24:48 2012
 New Revision: 303362
 URL: http://svn.freebsd.org/changeset/ports/303362
 
 Log:
   Update to upstream release fetchmail 6.3.22.
   
   Fixes CVE-2011-3389 (reenabling a countermeasure against
   chosen-plaintext attacks against block cipher initialization)
   
   Fixes CVE-2012-3482 (vulnerabilities in NTLM authentication; already
   fixed in FreeBSD's port 6.3.21_1)
   
   Assorted other fixes and workarounds.
   
   Adds a Swedish translation.
   
   Release Notes:	http://developer.berlios.de/project/shownotes.php?release_id=19117
   
   PR:		171177
   Approved by:	Corey Halpin (maintainer)
   Security:	CVE-2012-3482
   Security:	http://www.vuxml.org/freebsd/83f9e943-e664-11e1-a66d-080027ef73ec.html
   Security:	CVE-2011-3389
   Security:	http://www.vuxml.org/freebsd/18ce9a90-f269-11e1-be53-080027ef73ec.html
 
 Deleted:
   head/mail/fetchmail/files/patch-CVE-2012-3482
 Modified:
   head/mail/fetchmail/Makefile
   head/mail/fetchmail/distinfo   (contents, props changed)
   head/mail/fetchmail/pkg-plist   (contents, props changed)
 
 Modified: head/mail/fetchmail/Makefile
 ==============================================================================
 --- head/mail/fetchmail/Makefile	Thu Aug 30 06:23:21 2012	(r303361)
 +++ head/mail/fetchmail/Makefile	Thu Aug 30 06:24:48 2012	(r303362)
 @@ -11,8 +11,7 @@
  # want fetchmailconf to work, define the X11 option.
  
  PORTNAME=	fetchmail
 -PORTVERSION=	6.3.21
 -PORTREVISION=	1
 +PORTVERSION=	6.3.22
  CATEGORIES=	mail ipv6
  MASTER_SITES=	BERLIOS/${PORTNAME}/ \
  		SF/${PORTNAME}/branch_6.3/ \
 
 Modified: head/mail/fetchmail/distinfo
 ==============================================================================
 --- head/mail/fetchmail/distinfo	Thu Aug 30 06:23:21 2012	(r303361)
 +++ head/mail/fetchmail/distinfo	Thu Aug 30 06:24:48 2012	(r303362)
 @@ -1,2 +1,2 @@
 -SHA256 (fetchmail-6.3.21.tar.xz) = dc1b92666df7bc4d6be3e66654e9894bcaa76527ea99183deabd9e11486e0f82
 -SIZE (fetchmail-6.3.21.tar.xz) = 1254704
 +SHA256 (fetchmail-6.3.22.tar.xz) = 9ab51a851f79e16258f068e791c39e3e378a99927f70c9635132f4295d70b1a4
 +SIZE (fetchmail-6.3.22.tar.xz) = 1260296
 
 Modified: head/mail/fetchmail/pkg-plist
 ==============================================================================
 --- head/mail/fetchmail/pkg-plist	Thu Aug 30 06:23:21 2012	(r303361)
 +++ head/mail/fetchmail/pkg-plist	Thu Aug 30 06:24:48 2012	(r303362)
 @@ -33,6 +33,7 @@ libexec/fetchmailconf.py
  %%NLS%%share/locale/ru/LC_MESSAGES/fetchmail.mo
  %%NLS%%share/locale/sk/LC_MESSAGES/fetchmail.mo
  %%NLS%%share/locale/sq/LC_MESSAGES/fetchmail.mo
 +%%NLS%%share/locale/sv/LC_MESSAGES/fetchmail.mo
  %%NLS%%share/locale/tr/LC_MESSAGES/fetchmail.mo
  %%NLS%%share/locale/vi/LC_MESSAGES/fetchmail.mo
  %%NLS%%share/locale/zh_CN/LC_MESSAGES/fetchmail.mo
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->closed 
State-Changed-By: mandree 
State-Changed-When: Thu Aug 30 06:40:27 UTC 2012 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171177 
>Unformatted:
