Quantcast

mail/libetpan 6.1 backport

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

mail/libetpan 6.1 backport

Paul Irofti-4
Along with the openvpn backport that jca committed, I also backported
and tested mail/libetpan. OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/libetpan/Makefile,v
retrieving revision 1.25
diff -u -p -r1.25 Makefile
--- Makefile 11 Nov 2016 12:07:00 -0000 1.25
+++ Makefile 15 May 2017 14:57:45 -0000
@@ -1,14 +1,13 @@
-# $OpenBSD: Makefile,v 1.25 2016/11/11 12:07:00 danj Exp $
+# $OpenBSD: Makefile,v 1.27 2017/05/11 00:35:09 danj Exp $
 
 COMMENT= mail purpose library
 
 GH_ACCOUNT= dinhviethoa
 GH_PROJECT= libetpan
-GH_TAGNAME= 1.7.2
+GH_TAGNAME= 1.8
 CATEGORIES= mail devel
-REVISION= 2
 
-SHARED_LIBS= etpan 17.0 # 20.0
+SHARED_LIBS= etpan 18.0 # 21.0
 
 HOMEPAGE= http://www.etpan.org/libetpan.html
 
@@ -17,7 +16,7 @@ MAINTAINER= Daniel Jakots <[hidden email]
 # BSD
 PERMIT_PACKAGE_CDROM= Yes
 
-WANTLIB += crypto curl expat iconv m nghttp2 pthread sasl2 ssl stdc++ z
+WANTLIB += crypto curl expat iconv m nghttp2 pthread sasl2 ssl ${LIBCXX} z
 
 AUTOCONF_VERSION= 2.69
 AUTOMAKE_VERSION= 1.15
Index: distinfo
===================================================================
RCS file: /cvs/ports/mail/libetpan/distinfo,v
retrieving revision 1.9
diff -u -p -r1.9 distinfo
--- distinfo 28 Jun 2016 16:28:13 -0000 1.9
+++ distinfo 15 May 2017 14:57:45 -0000
@@ -1,2 +1,2 @@
-SHA256 (libetpan-1.7.2.tar.gz) = MnlygqQg8xdPSmeVSOIPortKy0BLgn1iwvRNPeTrMSA=
-SIZE (libetpan-1.7.2.tar.gz) = 6186628
+SHA256 (libetpan-1.8.tar.gz) = TmentKutzzzBb6FuFiGmjlTUidrf2afR+WDBculTtus=
+SIZE (libetpan-1.8.tar.gz) = 6188927

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Jérémie Courrèges-Anglas-4
Paul Irofti <[hidden email]> writes:

> Along with the openvpn backport that jca committed, I also backported
> and tested mail/libetpan. OK?

The problem is that the diff below bumps the lib major version.
For -stable it is better to avoid this as much as we can, since it means
that users have to rebuild all the packages that depend on libetpan
(updating libetpan isn't enough if consumer ports don't use the new
lib).

https://github.com/dinhviethoa/libetpan/releases/tag/1.8 says
CVE-2017-8825.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8825 points at
https://github.com/dinhviethoa/libetpan/issues/274 and
https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d

Probably a fix can be pushed to -stable without changing the lib version
at all.

Also,

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/mail/libetpan/Makefile,v
> retrieving revision 1.25
> diff -u -p -r1.25 Makefile
> --- Makefile 11 Nov 2016 12:07:00 -0000 1.25
> +++ Makefile 15 May 2017 14:57:45 -0000
> @@ -1,14 +1,13 @@
> -# $OpenBSD: Makefile,v 1.25 2016/11/11 12:07:00 danj Exp $
> +# $OpenBSD: Makefile,v 1.27 2017/05/11 00:35:09 danj Exp $
>  
>  COMMENT= mail purpose library
>  
>  GH_ACCOUNT= dinhviethoa
>  GH_PROJECT= libetpan
> -GH_TAGNAME= 1.7.2
> +GH_TAGNAME= 1.8
>  CATEGORIES= mail devel
> -REVISION= 2
>  
> -SHARED_LIBS= etpan 17.0 # 20.0
> +SHARED_LIBS= etpan 18.0 # 21.0
>  
>  HOMEPAGE= http://www.etpan.org/libetpan.html
>  
> @@ -17,7 +16,7 @@ MAINTAINER= Daniel Jakots <[hidden email]
>  # BSD
>  PERMIT_PACKAGE_CDROM= Yes
>  
> -WANTLIB += crypto curl expat iconv m nghttp2 pthread sasl2 ssl stdc++ z
> +WANTLIB += crypto curl expat iconv m nghttp2 pthread sasl2 ssl ${LIBCXX} z

afaict, there is no ${LIBCXX} support in -stable.

>  
>  AUTOCONF_VERSION= 2.69
>  AUTOMAKE_VERSION= 1.15
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/mail/libetpan/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- distinfo 28 Jun 2016 16:28:13 -0000 1.9
> +++ distinfo 15 May 2017 14:57:45 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (libetpan-1.7.2.tar.gz) = MnlygqQg8xdPSmeVSOIPortKy0BLgn1iwvRNPeTrMSA=
> -SIZE (libetpan-1.7.2.tar.gz) = 6186628
> +SHA256 (libetpan-1.8.tar.gz) = TmentKutzzzBb6FuFiGmjlTUidrf2afR+WDBculTtus=
> +SIZE (libetpan-1.8.tar.gz) = 6188927
>

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Paul Irofti-4
Right, so how about this?

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/libetpan/Makefile,v
retrieving revision 1.25
diff -u -p -u -p -r1.25 Makefile
--- Makefile 11 Nov 2016 12:07:00 -0000 1.25
+++ Makefile 16 May 2017 16:31:12 -0000
@@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa
 GH_PROJECT= libetpan
 GH_TAGNAME= 1.7.2
 CATEGORIES= mail devel
-REVISION= 2
+REVISION= 3
 
 SHARED_LIBS= etpan 17.0 # 20.0
 
Index: patches/patch-src_low-level_imf_mailimf_c
===================================================================
RCS file: patches/patch-src_low-level_imf_mailimf_c
diff -N patches/patch-src_low-level_imf_mailimf_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_low-level_imf_mailimf_c 16 May 2017 16:31:12 -0000
@@ -0,0 +1,32 @@
+$OpenBSD$
+
+Fix CVE-2017-8825 null dereference vulnerability in MIME handling
+
+--- src/low-level/imf/mailimf.c.orig Thu May 26 08:27:47 2016
++++ src/low-level/imf/mailimf.c Tue May 16 19:17:24 2017
+@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char * message, s
+   struct mailimf_group * group;
+   int r;
+   int res;
++  clist * list;
+
+   cur_token = * indx;
+
+@@ -3108,6 +3109,17 @@ static int mailimf_group_parse(const char * message, s
+     r = mailimf_cfws_parse(message, length, &cur_token);
+     if ((r != MAILIMF_NO_ERROR) && (r != MAILIMF_ERROR_PARSE)) {
+       res = r;
++      goto free_display_name;
++    }
++    list = clist_new();
++    if (list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      goto free_display_name;
++    }
++    mailbox_list = mailimf_mailbox_list_new(list);
++    if (mailbox_list == NULL) {
++      res = MAILIMF_ERROR_MEMORY;
++      clist_free(list);
+       goto free_display_name;
+     }
+     break;

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Daniel Jakots-3
On Tue, 16 May 2017 19:32:39 +0300, Paul Irofti <[hidden email]> wrote:

> Right, so how about this?

I think it's better that way. Thanks for taking care of. ok danj@

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/mail/libetpan/Makefile,v
> retrieving revision 1.25
> diff -u -p -u -p -r1.25 Makefile
> --- Makefile 11 Nov 2016 12:07:00 -0000 1.25
> +++ Makefile 16 May 2017 16:31:12 -0000
> @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa
>  GH_PROJECT= libetpan
>  GH_TAGNAME= 1.7.2
>  CATEGORIES= mail devel
> -REVISION= 2
> +REVISION= 3
>  
>  SHARED_LIBS= etpan 17.0 # 20.0
>  
> Index: patches/patch-src_low-level_imf_mailimf_c
> ===================================================================
> RCS file: patches/patch-src_low-level_imf_mailimf_c
> diff -N patches/patch-src_low-level_imf_mailimf_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_low-level_imf_mailimf_c 16 May 2017
> 16:31:12 -0000 @@ -0,0 +1,32 @@
> +$OpenBSD$
> +
> +Fix CVE-2017-8825 null dereference vulnerability in MIME handling
> +
> +--- src/low-level/imf/mailimf.c.orig Thu May 26 08:27:47 2016
> ++++ src/low-level/imf/mailimf.c Tue May 16 19:17:24 2017
> +@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char *
> message, s
> +   struct mailimf_group * group;
> +   int r;
> +   int res;
> ++  clist * list;
> +
> +   cur_token = * indx;
> +
> +@@ -3108,6 +3109,17 @@ static int mailimf_group_parse(const char *
> message, s
> +     r = mailimf_cfws_parse(message, length, &cur_token);
> +     if ((r != MAILIMF_NO_ERROR) && (r != MAILIMF_ERROR_PARSE)) {
> +       res = r;
> ++      goto free_display_name;
> ++    }
> ++    list = clist_new();
> ++    if (list == NULL) {
> ++      res = MAILIMF_ERROR_MEMORY;
> ++      goto free_display_name;
> ++    }
> ++    mailbox_list = mailimf_mailbox_list_new(list);
> ++    if (mailbox_list == NULL) {
> ++      res = MAILIMF_ERROR_MEMORY;
> ++      clist_free(list);
> +       goto free_display_name;
> +     }
> +     break;
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Paul Irofti-4
On 5/16/2017 8:35 PM, Daniel Jakots wrote:
> On Tue, 16 May 2017 19:32:39 +0300, Paul Irofti <[hidden email]> wrote:
>
>> Right, so how about this?
>
> I think it's better that way. Thanks for taking care of. ok danj@

What I am worried with this approach of cherry-picking specific CVE
patches is that we might skip other patches (included in the latest
release) that do not have associated CVE's or worse that the maintainer
did not spot.

>
>> Index: Makefile
>> ===================================================================
>> RCS file: /cvs/ports/mail/libetpan/Makefile,v
>> retrieving revision 1.25
>> diff -u -p -u -p -r1.25 Makefile
>> --- Makefile 11 Nov 2016 12:07:00 -0000 1.25
>> +++ Makefile 16 May 2017 16:31:12 -0000
>> @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa
>>  GH_PROJECT= libetpan
>>  GH_TAGNAME= 1.7.2
>>  CATEGORIES= mail devel
>> -REVISION= 2
>> +REVISION= 3
>>
>>  SHARED_LIBS= etpan 17.0 # 20.0
>>
>> Index: patches/patch-src_low-level_imf_mailimf_c
>> ===================================================================
>> RCS file: patches/patch-src_low-level_imf_mailimf_c
>> diff -N patches/patch-src_low-level_imf_mailimf_c
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ patches/patch-src_low-level_imf_mailimf_c 16 May 2017
>> 16:31:12 -0000 @@ -0,0 +1,32 @@
>> +$OpenBSD$
>> +
>> +Fix CVE-2017-8825 null dereference vulnerability in MIME handling
>> +
>> +--- src/low-level/imf/mailimf.c.orig Thu May 26 08:27:47 2016
>> ++++ src/low-level/imf/mailimf.c Tue May 16 19:17:24 2017
>> +@@ -3083,6 +3083,7 @@ static int mailimf_group_parse(const char *
>> message, s
>> +   struct mailimf_group * group;
>> +   int r;
>> +   int res;
>> ++  clist * list;
>> +
>> +   cur_token = * indx;
>> +
>> +@@ -3108,6 +3109,17 @@ static int mailimf_group_parse(const char *
>> message, s
>> +     r = mailimf_cfws_parse(message, length, &cur_token);
>> +     if ((r != MAILIMF_NO_ERROR) && (r != MAILIMF_ERROR_PARSE)) {
>> +       res = r;
>> ++      goto free_display_name;
>> ++    }
>> ++    list = clist_new();
>> ++    if (list == NULL) {
>> ++      res = MAILIMF_ERROR_MEMORY;
>> ++      goto free_display_name;
>> ++    }
>> ++    mailbox_list = mailimf_mailbox_list_new(list);
>> ++    if (mailbox_list == NULL) {
>> ++      res = MAILIMF_ERROR_MEMORY;
>> ++      clist_free(list);
>> +       goto free_display_name;
>> +     }
>> +     break;
>>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Jérémie Courrèges-Anglas-4
In reply to this post by Paul Irofti-4
Paul Irofti <[hidden email]> writes:

> Right, so how about this?

Looks fine to me, ok jca@

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mail/libetpan 6.1 backport

Jérémie Courrèges-Anglas-4
In reply to this post by Paul Irofti-4
Paul Irofti <[hidden email]> writes:

> On 5/16/2017 8:35 PM, Daniel Jakots wrote:
>> On Tue, 16 May 2017 19:32:39 +0300, Paul Irofti <[hidden email]> wrote:
>>
>>> Right, so how about this?
>>
>> I think it's better that way. Thanks for taking care of. ok danj@
>
> What I am worried with this approach of cherry-picking specific CVE
> patches is that we might skip other patches (included in the latest
> release) that do not have associated CVE's or worse that the maintainer
> did not spot.

Agreed.  I tend to stick to version updates if possible because
backporting can sometimes be fiddly.  But there really seems to be
a single security fix in this libetpan release, and a major bump is kind
of a problem for -stable.  On the other hand, libetpan has a single
consumer - claws-mail - so that's not too much to rebuild.

Avoiding the bump just seems more appealing to me, some users might not
even be aware that they need to build new packages when a major bump
lands in -stable.

If you want to push libetpan-1.8 in -stable, maybe check twice that
a major bump is actually needed?

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Loading...