Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], Laszlo Boszormenyi (GCS) <[email protected]>, Matthias Andree <[email protected]>, [email protected] Control: affects -1 + src:fetchmail User: [email protected] Usertags: pu
Dear Stable release managers, Laszlo, (CC upstream) The time is bit tight now given window is closing this weekend for uploads for the next trixie point release. I was looking which minor CVE fixes are open, and noticed that we have CVE-2025-61962 which might be low enough to still get in, but I would like to have an ack from Lazslo, otherwise later point release is I guess fine. [ Reason ] fetchmail is pront to a SMTP client crash when authenticating against a trusted but malicious or malfunctioning SMTP server. Details in https://www.fetchmail.info/fetchmail-SA-2025-01.txt This is CVE-2025-61962 and in Debian BTS tracked as #1117136. [ Impact ] fetchmail crash. [ Tests ] None in particular for this issue itself (as I have no setup available makeing use of it). Lazslo? I have uploaded the proposed package to debusine for further testing: https://debusine.debian.net/debian/developers/work-request/229521/ [ Risks ] Pick the upstream changes which are isolated for the changes in smtp.c. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Check from malformed replied from the SMTP server, i.e. check in this case the"334" responses not followed the mandated blank after the repsonse code. Regards, Salvatore
diff -Nru fetchmail-6.4.39/debian/changelog fetchmail-6.4.39/debian/changelog --- fetchmail-6.4.39/debian/changelog 2024-07-24 09:08:58.000000000 +0200 +++ fetchmail-6.4.39/debian/changelog 2025-11-08 14:51:41.000000000 +0100 @@ -1,3 +1,11 @@ +fetchmail (6.4.39-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * Security fix: avoid NULL+1 deref on invalid AUTH reply (CVE-2025-61962) + (Closes: #1117136) + + -- Salvatore Bonaccorso <[email protected]> Sat, 08 Nov 2025 14:51:41 +0100 + fetchmail (6.4.39-1) unstable; urgency=medium * New upstream release. diff -Nru fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch --- fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch 1970-01-01 01:00:00.000000000 +0100 +++ fetchmail-6.4.39/debian/patches/09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch 2025-11-08 14:50:14.000000000 +0100 @@ -0,0 +1,46 @@ +From: Matthias Andree <[email protected]> +Date: Fri, 3 Oct 2025 13:11:59 +0200 +Subject: Security fix: avoid NULL+1 deref on invalid AUTH reply +Origin: https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8 +Bug-Debian: https://bugs.debian.org/1117136 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-61962 + +When fetchmail receives a 334 reply from the SMTP server +that does not contain the mandated blank after that response +code, it will attempt reading from memory location 1, which +will usually lead to a crash. + +The simpler fix would have been to check for four bytes "334 " +instead of three bytes "334" but that would make malformed +replies and those that don't match the expected reply code +indistinguishable. +--- + smtp.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/smtp.c ++++ b/smtp.c +@@ -92,6 +92,11 @@ static void SMTP_auth(int sock, char smt + } + + p = strchr(tmp, ' '); ++ if (!p) { ++ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); ++ SMTP_auth_error(sock, ""); ++ return; ++ } + p++; + /* (hmh) from64tobits will not NULL-terminate strings! */ + if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { +@@ -145,6 +150,11 @@ static void SMTP_auth(int sock, char smt + } + + p = strchr(tmp, ' '); ++ if (!p) { ++ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); ++ SMTP_auth_error(sock, ""); ++ return; ++ } + p++; + if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { + SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n")); diff -Nru fetchmail-6.4.39/debian/patches/series fetchmail-6.4.39/debian/patches/series --- fetchmail-6.4.39/debian/patches/series 2023-01-10 03:29:55.000000000 +0100 +++ fetchmail-6.4.39/debian/patches/series 2025-11-08 14:48:49.000000000 +0100 @@ -2,3 +2,4 @@ 04_invoke-rc.d.diff 07_properly_report_size_of_mailboxes.patch 08_remove_forced_OpenSSL_check.patch +09_Security-fix-avoid-NULL-1-deref-on-invalid-AUTH-repl.patch
