pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2021Q3]: pkgsrc/mail/alpine Pullup ticket #6521 - requested by...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/409027ef1edf
branches:  pkgsrc-2021Q3
changeset: 768280:409027ef1edf
user:      tm <tm%pkgsrc.org@localhost>
date:      Sun Oct 17 16:41:33 2021 +0000

description:
Pullup ticket #6521 - requested by nia
mail/alpine: security fix

Revisions pulled up:
- mail/alpine/Makefile                                          1.48
- mail/alpine/distinfo                                          1.27
- mail/alpine/patches/patch-imap_src_mtest_mtest.c              deleted

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Sun Oct 17 09:49:10 UTC 2021

   Modified Files:
        pkgsrc/mail/alpine: Makefile distinfo
   Removed Files:
        pkgsrc/mail/alpine/patches: patch-imap_src_mtest_mtest.c

   Log Message:
   alpine: Update to 2.25.

   pkgsrc changes and notes:

   - According to the release notes, this fixes CVE-2021-38370 by
     Damian Poddebniak.
   - I have added the maildir patch, as FreeBSD does, because it seems
     useful.
   - I have removed the non-trivial patch for OpenBSD, because going by
     OpenBSD's ports repository it's no longer necessary at all.

      Version 2.25 includes several new features and bug fixes.

      Additions include:
        * Unix Alpine: New configuration variable ssl-ciphers that allows users
          to list the ciphers to use when connecting to a SSL server. Based on a
          collaboration with Professor Martin Trusler.
        * New hidden feature enable-delete-before-writing to add support for
          terminals that need lines to be deleted before being written. Based on
          a collaboration with Professor Martin Trusler.
        * Experimental: The instruction to remove the double quotes from the
          processing of customized headers existed in pine, but it was removed
          in alpine. Restoring old Alpine behavior. See this
        * Add the capability to record http debug. This is necessary to debug
          XOAUTH2 authentication, and records sensitive login information. Do
          not share your debug file if you use this form of debug.
        * Remove the ability to choose between the device and authorize methods
          to login to outlook, since the original client-id can only be used for
          the device method. One needs a special client-id and client-secret to
          use the authorize method in Outlook.
        * PC-Alpine only: Some service providers produce access tokens that are
          too long to save in the Windows Credentials, so the access tokens will
          be split and saved as several pieces. This means that old versions of
          Alpine will NOT be able to use saved passwords once this new version
          of Alpine is used.
        * PC-Alpine: Debug files used to be created with extension .txt1, .txt2,
          etc. Rename those files so that they have extension .txt.
        * Always follow **suppress-asterisks-in-password-prompt** setting in
          the various password prompts. Submitted by tienne Deparis.
        * Use 'alpine -F' instead of 'pine -F' as the browser default pager.
          Submitted by tienne Deparis.
        * Introduction of OTHER CMDS menu for the browser/pilot to let people
          discover the two new commands: "1" is a toggle that switches between 1
          column and multicolumn mode. The "." command toggles between hiding or
          showing hidden files, and the "G" command to travel between
          directories. Contributed by tienne Deparis.
        * Add option -xoauth2-flow to the command line, so that users can
          specify the parameters to set up an xoauth2 connection through the
          command line.
        * Alpine deletes, from its internal memory and external cache, passwords
          that do not work, even if they were saved by the user.
        * New format for saving passwords in the windows credential manager for
          PC-Alpine. Upon starting this new version of Alpine the passwords
          saved in the credential manager are converted to the new format and
          they will not be recognized by old versions of Alpine, but only by
          this and newer versions of Alpine.
        * Enabled encryption protocols in PC-Alpine are based on those enabled
          in the system, unless one is specified directly.

      Bugs that have been addressed include:
        * The c-client library parses information from an IMAP server during
          non-authenticated state which could lead to denial of service.
          Reported by Damian Poddebniak from Mnster University of Applied
          Sciences.
        * Memory corruption when alpine searches for a string that is an
          incomplete utf8 string in a local folder. This could happen by
          chopping a string to make it fit a buffer without regard to its
          content. We fix the string so that chopping it does not damage it.
          Reported by Andrew.
        * Crash in the ntlm authenticator when the user name does not include a
          domain. Reported and fixed by Anders Skargren.
        * When forwarding a message, replacing an attachment might make Alpine
          re-attach the original attachment. Reported by Michael Traxler.
        * When an attachment is deleted, the saved message with the deleted
          attachment contains extra null characters after the end of the
          attachment boundary.
        * Tcp and http debug information is not printed unless the default debug
          level is set to 1. Print this if requested, regardless of what the
          default debug level is.
        * When trying to select a folder for saving a message, one can only
          enter a subfolder by pressing the ">" command, rather than the normal
          navigation by pressing "Return". Reported by Ulf-Dietrich Braunmann.
        * Crash when attempting to remove a configuration for a XOAUTH2 server
          that has no usernames configured.
        * Crash caused by saving (and resaving) XOAUTH2 refresh and access
          tokens in PC-Alpine. Reported by Karl Lindauer.

diffstat:

 mail/alpine/Makefile                             |   18 +-
 mail/alpine/distinfo                             |   15 +-
 mail/alpine/patches/patch-imap_src_mtest_mtest.c |  216 -----------------------
 3 files changed, 21 insertions(+), 228 deletions(-)

diffs (284 lines):

diff -r 522008b4f540 -r 409027ef1edf mail/alpine/Makefile
--- a/mail/alpine/Makefile      Sun Oct 17 16:24:16 2021 +0000
+++ b/mail/alpine/Makefile      Sun Oct 17 16:41:33 2021 +0000
@@ -1,16 +1,24 @@
-# $NetBSD: Makefile,v 1.47 2020/11/23 16:36:03 bsiegert Exp $
+# $NetBSD: Makefile,v 1.47.8.1 2021/10/17 16:41:33 tm Exp $
 
-DISTNAME=      alpine-2.24
+DISTNAME=      alpine-2.25
 CATEGORIES=    mail
 MASTER_SITES=  http://alpine.x10host.com/alpine/release/src/
+DIST_SUBDIR=   ${DISTNAME}
 EXTRACT_SUFX=  .tar.xz
 
+PATCH_SITES=           https://alpine.x10host.com/alpine/patches/alpine-${PKGVERSION_NOREV}/
+PATCHFILES+=           maildir.patch.gz
+PATCH_DIST_STRIP=      -p1
+
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
-#HOMEPAGE=     http://patches.freeiz.com/alpine/release/
+HOMEPAGE=      http://alpine.x10host.com/index.html
 COMMENT=       Program for Internet News and E-mail
 LICENSE=       apache-2.0
 
-GNU_CONFIGURE=         yes
+GNU_CONFIGURE= yes
+USE_TOOLS+=    msgfmt msgmerge xgettext
+USE_LIBTOOL=   yes
+
 CONFIGURE_ARGS+=       --with-ssl-dir=${SSLBASE}
 CONFIGURE_ARGS+=       --with-ssl-certs-dir=${SSLCERTS:Q}
 CONFIGURE_ARGS+=       --with-ssl-include-dir=${SSLBASE}/include
@@ -21,8 +29,6 @@
 # disabled, for Web Alpine Support
 CONFIGURE_ARGS+=       --without-tcl
 
-USE_LIBTOOL=   yes
-
 MAKE_JOBS_SAFE=                no
 INSTALLATION_DIRS=     bin ${PKGMANDIR}/man1
 
diff -r 522008b4f540 -r 409027ef1edf mail/alpine/distinfo
--- a/mail/alpine/distinfo      Sun Oct 17 16:24:16 2021 +0000
+++ b/mail/alpine/distinfo      Sun Oct 17 16:41:33 2021 +0000
@@ -1,10 +1,13 @@
-$NetBSD: distinfo,v 1.25 2020/11/23 16:36:03 bsiegert Exp $
+$NetBSD: distinfo,v 1.25.8.1 2021/10/17 16:41:33 tm Exp $
 
-SHA1 (alpine-2.24.tar.xz) = 42f2936935699686276bc6ab9e510eff7376a3dd
-RMD160 (alpine-2.24.tar.xz) = 1612ff9edfdd66a0ef145f338fa9db26177360e0
-SHA512 (alpine-2.24.tar.xz) = 642a51f73732ebdf7c40e2b66370aa2f48fb13b349b477871b26295c3e8b860a0cc78dec9f80efc6ea74c548a080ceff04181eb18c35a9c8cae8d8ef831178c5
-Size (alpine-2.24.tar.xz) = 7341676 bytes
+SHA1 (alpine-2.25/alpine-2.25.tar.xz) = 7f8ab772c1898284d0aa1825c3e18eee72547486
+RMD160 (alpine-2.25/alpine-2.25.tar.xz) = 3035891df0de21d15adc0b1665fcb4127b9b5ffd
+SHA512 (alpine-2.25/alpine-2.25.tar.xz) = 76c214cf66f4ac7af3de40357ad3a592ff2a119e327e5f6c256125b7865d46b09197435fe6ac8077ab7a498e4821925939f3f902431ca77baa786e149466a193
+Size (alpine-2.25/alpine-2.25.tar.xz) = 7495372 bytes
+SHA1 (alpine-2.25/maildir.patch.gz) = d7709751b57bc8f0cf7212452c61e82e715744a4
+RMD160 (alpine-2.25/maildir.patch.gz) = 5c402d391c399763fcf5714cfa7cca7cfbd65964
+SHA512 (alpine-2.25/maildir.patch.gz) = eea454796cab4e96b83869e880fe17d20799bf3a606712367f42deb0f3870b30f620fc77c307e40303ffc8492e828bb7772965b21614b2c27d4fc972f18ff346
+Size (alpine-2.25/maildir.patch.gz) = 34758 bytes
 SHA1 (patch-imap_src_c-client_auth_gss.c) = e6da9ee9dbe0751872d1400237a030112eaa56c6
-SHA1 (patch-imap_src_mtest_mtest.c) = 8c5282047e165fee4b6fe74c230e41d63d3cdc69
 SHA1 (patch-imap_src_osdep_unix_Makefile.gss) = ca09bc26a139c68afe8ac1f99be54bd1fc0e77f0
 SHA1 (patch-imap_src_osdep_unix_kerb_mit.c) = c77d5ee1e8aee30811c2df0562caa375ed270c0e
diff -r 522008b4f540 -r 409027ef1edf mail/alpine/patches/patch-imap_src_mtest_mtest.c
--- a/mail/alpine/patches/patch-imap_src_mtest_mtest.c  Sun Oct 17 16:24:16 2021 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,216 +0,0 @@
-$NetBSD: patch-imap_src_mtest_mtest.c,v 1.3 2018/07/24 12:39:36 bsiegert Exp $
-
-- patch up buffer handling (required to build on openbsd)
-
---- imap/src/mtest/mtest.c.orig        2017-02-06 00:06:22.499218141 +0000
-+++ imap/src/mtest/mtest.c
-@@ -151,6 +151,7 @@ void mm (MAILSTREAM *stream,long debug)
-   void *sdb = NIL;
-   char cmd[MAILTMPLEN],tmp[MAILTMPLEN];
-   char *s, *arg;
-+  size_t argmax;
-   unsigned long i;
-   unsigned long last = 0;
-   BODY *body;
-@@ -158,7 +159,9 @@ void mm (MAILSTREAM *stream,long debug)
-   while (stream) {
-     prompt ("MTest> ",cmd, sizeof(cmd)); /* prompt user, get command */
-                               /* get argument */
--    if ((arg = strchr (cmd,' ')) != NULL) *arg++ = '\0';
-+    if (arg)
-+      argmax = sizeof(cmd) - (arg - cmd);
-+
-     switch (*ucase (cmd)) {   /* dispatch based on command */
-     case 'B':                 /* Body command */
-       if (arg) last = atoi (arg);
-@@ -185,7 +188,8 @@ void mm (MAILSTREAM *stream,long debug)
-         break;
-       }
-       arg = cmd;
--      sprintf (arg,"%lu",last);
-+      argmax = sizeof(cmd);
-+      snprintf (arg, argmax, "%lu",last);
-       }
-       if (last && (last <= stream->nmsgs))
-       mail_setflag (stream,arg,"\\DELETED");
-@@ -198,6 +202,7 @@ void mm (MAILSTREAM *stream,long debug)
-     case 'F':                 /* Find command */
-       if (!arg) {
-       arg = "%";
-+        argmax = 0;
-       if ((s = sm_read (tmp,&sdb)) != NULL) {
-         puts ("Local network subscribed mailboxes:");
-         do if (*s == '{') (mm_lsub (NIL,NIL,s,NIL));
-@@ -251,7 +256,7 @@ void mm (MAILSTREAM *stream,long debug)
-       }
-                               /* get the new mailbox */
-       while (!(stream = mail_open (stream,arg,debug))) {
--      prompt ("Mailbox: ",arg, sizeof(arg));
-+      prompt ("Mailbox: ",arg, argmax);
-       if (!arg[0]) break;
-       }
-       last = 0;
-@@ -323,7 +328,8 @@ void mm (MAILSTREAM *stream,long debug)
-         break;
-       }
-       arg = cmd;
--      sprintf (arg,"%lu",last);
-+      argmax = sizeof(cmd);
-+      snprintf (arg, argmax, "%lu",last);
-       }
-       if (last > 0 && last <= stream->nmsgs)
-       mail_clearflag (stream,arg,"\\DELETED");
-@@ -384,7 +390,7 @@ void overview_header (MAILSTREAM *stream
-     tmp[3] = elt->answered ? 'A' : ' ';
-     tmp[4] = elt->deleted ? 'D' : ' ';
-     mail_parse_date (&selt,ov->date);
--    sprintf (tmp+5,"%4lu) ",elt->msgno);
-+    snprintf (tmp+5, sizeof(tmp)-5, "%4lu) ",elt->msgno);
-     mail_date (tmp+11,&selt);
-     tmp[17] = ' ';
-     tmp[18] = '\0';
-@@ -394,11 +400,12 @@ void overview_header (MAILSTREAM *stream
-     for (adr = ov->from; adr && !adr->host; adr = adr->next);
-     if (adr) {                        /* if a personal name exists use it */
-       if (!(t = adr->personal))
--      sprintf (t = tmp+400,"%s@%s",adr->mailbox,adr->host);
-+        snprintf (t = tmp+400, sizeof(tmp)-400, "%s@%s",adr->mailbox,adr->host);
-       memcpy (tmp+18,t,(size_t) min (20,(long) strlen (t)));
-     }
-     strcat (tmp," ");
-     if ((i = elt->user_flags) != 0L) {
-+      /* XXX bounds? */
-       strcat (tmp,"{");
-       while (i) {
-       strcat (tmp,stream->user_flags[find_rightmost_bit (&i)]);
-@@ -406,7 +413,7 @@ void overview_header (MAILSTREAM *stream
-       }
-       strcat (tmp,"} ");
-     }
--    sprintf (tmp + strlen (tmp),"%.25s (%lu chars)",
-+    snprintf (tmp + strlen (tmp), 400 - strlen(tmp), "%.25s (%lu chars)",
-            ov->subject ? ov->subject : " ",ov->optional.octets);
-     puts (tmp);
-   }
-@@ -423,6 +430,7 @@ void header (MAILSTREAM *stream,long msg
-   unsigned long i;
-   char tmp[MAILTMPLEN];
-   char *t;
-+  size_t len;
-   MESSAGECACHE *cache = mail_elt (stream,msgno);
-   mail_fetchstructure (stream,msgno,NIL);
-   tmp[0] = cache->recent ? (cache->seen ? 'R': 'N') : ' ';
-@@ -430,7 +438,7 @@ void header (MAILSTREAM *stream,long msg
-   tmp[2] = cache->flagged ? 'F' : ' ';
-   tmp[3] = cache->answered ? 'A' : ' ';
-   tmp[4] = cache->deleted ? 'D' : ' ';
--  sprintf (tmp+5,"%4lu) ",cache->msgno);
-+  snprintf (tmp+5, sizeof(tmp)-5, "%4lu) ",cache->msgno);
-   mail_date (tmp+11,cache);
-   tmp[17] = ' ';
-   tmp[18] = '\0';
-@@ -445,7 +453,9 @@ void header (MAILSTREAM *stream,long msg
-     strcat (tmp,"} ");
-   }
-   mail_fetchsubject (t = tmp + strlen (tmp),stream,msgno,(long) 25);
--  sprintf (t += strlen (t)," (%lu chars)",cache->rfc822_size);
-+  len = strlen (t);
-+  t += len;
-+  snprintf (t, sizeof(tmp)-len, " (%lu chars)",cache->rfc822_size);
-   puts (tmp);
- }
- 
-@@ -459,31 +469,57 @@ void display_body (BODY *body,char *pfx,
- {
-   char tmp[MAILTMPLEN];
-   char *s = tmp;
-+  size_t len, smax = sizeof(tmp);
-   PARAMETER *par;
-   PART *part;                 /* multipart doesn't have a row to itself */
-   if (body->type == TYPEMULTIPART) {
-                               /* if not first time, extend prefix */
--    if (pfx) sprintf (tmp,"%s%ld.",pfx,++i);
-+    if (pfx) snprintf (tmp, sizeof(tmp), "%s%ld.",pfx,++i);
-     else tmp[0] = '\0';
-     for (i = 0,part = body->nested.part; part; part = part->next)
-       display_body (&part->body,tmp,i++);
-   }
-   else {                      /* non-multipart, output oneline descriptor */
-     if (!pfx) pfx = "";               /* dummy prefix if top level */
--    sprintf (s," %s%ld %s",pfx,++i,body_types[body->type]);
--    if (body->subtype) sprintf (s += strlen (s),"/%s",body->subtype);
--    if (body->description) sprintf (s += strlen (s)," (%s)",body->description);
--    if ((par = body->parameter) != NULL) do
--      sprintf (s += strlen (s),";%s=%s",par->attribute,par->value);
-+    snprintf (s, smax, " %s%ld %s",pfx,++i,body_types[body->type]);
-+    if (body->subtype) {
-+       len = strlen(s);
-+       s += len;
-+       smax -= len;
-+       snprintf (s, smax, "/%s",body->subtype);
-+    }
-+    if (body->description) {
-+       len = strlen(s);
-+       s += len;
-+       smax -= len;
-+       snprintf (s, smax, " (%s)",body->description);
-+    }
-+    if (par = body->parameter) do {
-+       len = strlen(s);
-+       s += len;
-+       smax -= len;
-+       snprintf (s, smax, ";%s=%s",par->attribute,par->value);
-+    }
-     while ((par = par->next) != NULL);
--    if (body->id) sprintf (s += strlen (s),", id = %s",body->id);
-+    if (body->id) {
-+       len = strlen(s);
-+       s += len;
-+       smax -= len;
-+       snprintf (s, smax, ", id = %s",body->id);
-+    }
-     switch (body->type) {     /* bytes or lines depending upon body type */
-     case TYPEMESSAGE:         /* encapsulated message */
-     case TYPETEXT:            /* plain text */
--      sprintf (s += strlen (s)," (%lu lines)",body->size.lines);
-+      len = strlen(s);
-+      s += len;
-+      smax -= len;
-+      snprintf (s, smax, " (%lu lines)",body->size.lines);
-       break;
-     default:
--      sprintf (s += strlen (s)," (%lu bytes)",body->size.bytes);
-+      len = strlen(s);
-+      s += len;
-+      smax -= len;
-+      snprintf (s, smax, " (%lu bytes)",body->size.bytes);
-       break;
-     }
-     puts (tmp);                       /* output this line */
-@@ -492,7 +528,7 @@ void display_body (BODY *body,char *pfx,
-       (body = body->nested.msg->body)) {
-       if (body->type == TYPEMULTIPART) display_body (body,pfx,i-1);
-       else {                  /* build encapsulation prefix */
--      sprintf (tmp,"%s%ld.",pfx,i);
-+      snprintf (tmp, sizeof(tmp), "%s%ld.",pfx,i);
-       display_body (body,tmp,(long) 0);
-       }
-     }
-@@ -711,10 +747,13 @@ void mm_login (NETMBX *mb,char *user,cha
-   if (curhst) fs_give ((void **) &curhst);
-   curhst = (char *) fs_get (1+strlen (mb->host));
-   strcpy (curhst,mb->host);
--  sprintf (s = tmp,"{%s/%s",mb->host,mb->service);
--  if (*mb->user) sprintf (tmp+strlen (tmp),"/user=%s",strcpy (user,mb->user));
--  if (*mb->authuser) sprintf (tmp+strlen (tmp),"/authuser=%s",mb->authuser);
--  if (*mb->user) strcat (s = tmp,"} password:");
-+  snprintf (s = tmp, sizeof(tmp), "{%s/%s",mb->host,mb->service);
-+  if (*mb->user) snprintf (tmp+strlen (tmp), sizeof(tmp)-strlen(tmp), "/user=%s",strcpy (user,mb->user));
-+  if (*mb->authuser) snprintf (tmp+strlen (tmp), sizeof(tmp)-strlen(tmp), "/authuser=%s",mb->authuser);
-+  if (*mb->user) {
-+     s = tmp;
-+     snprintf(tmp+strlen(tmp), sizeof(tmp)-strlen(tmp), "%s", "} password:");
-+  }
-   else {
-     printf ("%s} username: ",tmp);
-     fgets (user,NETMAXUSER-1,stdin);



Home | Main Index | Thread Index | Old Index