#1117136 fetchmail 6.5.6 security fix required (SMTP AUTH crash depending on server)

Package:
fetchmail
Source:
fetchmail
Description:
SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
Submitter:
Matthias Andree
Date:
2025-10-04 16:11:01 UTC
Severity:
normal
Tags:
#1117136#5
Date:
2025-10-03 15:07:43 UTC
From:
To:
Please update the fetchmail packages according to

https://www.fetchmail.info/fetchmail-SA-2025-01.txt (copy attached).

Since the fetchmail maintainer seems AWOL, I am Bcc:ing security@ and
hope they can find someone to deal with this and also the GCC15 FTBFS
bugs, which are grave.
#1117136#12
Date:
2025-10-03 17:57:53 UTC
From:
To:
 Thanks for the heads-up. For some reason I didn't get this email,
only realized about it from our BTS. :-(
 I'm alive and well, not well but fixing mostly RC bugs daily for a
while. I've lost my IMAP email access, and can't test the prepared
package update at the moment. :-(
Otherwise upload is coming soon; hopefully not breaking anything.

Regards,
Laszlo/GCS
#1117136#21
Date:
2025-10-03 19:49:59 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1117136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated fetchmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 03 Oct 2025 19:45:55 +0200
Source: fetchmail
Architecture: source
Version: 6.5.6-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1096626 1117136
Changes:
 fetchmail (6.5.6-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes FTBFS with GCC 15 (closes: #1096626),
     - fixes SMTP AUTH crash depending on server, fetchmail-SA-2025-01
       (closes: #1117136).
   * Update copyright file.
   * Update watch file.
   * Remove now redundant Rules-Requires-Root value.
   * Refer online version of Free Software Foundation licence.
   * Update Standards-Version to 4.7.2 .
Checksums-Sha1:
 d6a25335d47c4c71c26bd788d59c4b8b26a01e76 2166 fetchmail_6.5.6-1.dsc
 aff5e24b59b17f5750b332ab0d731c77913299d9 1061804 fetchmail_6.5.6.orig.tar.xz
 1c3b0baaae99b2705620cfd52b01247aa92f83b7 833 fetchmail_6.5.6.orig.tar.xz.asc
 2f1a05ebc27cce6ca87664bce7fa0f9066498772 53960 fetchmail_6.5.6-1.debian.tar.xz
Checksums-Sha256:
 5b1966345f7d5ba060b2ecfb2e24f86031772dfd3cfacc2462944fe99b617537 2166 fetchmail_6.5.6-1.dsc
 ec10e0e0eaa417313559379ede76c74614766d838b39470b66474863aa690dab 1061804 fetchmail_6.5.6.orig.tar.xz
 773782ccf23a3fe5c2ace1998190bd7d8857a1d37708d64699d1c80f2b262b97 833 fetchmail_6.5.6.orig.tar.xz.asc
 5ecd7d6585305625f0ee9a26ae8a42499dc2acf541f81d5908d56fbff1da5339 53960 fetchmail_6.5.6-1.debian.tar.xz
Files:
 f2c71196f503b37364384cbe60dbe8f2 2166 mail optional fetchmail_6.5.6-1.dsc
 6313625796cfc08d0e5dea60664a2301 1061804 mail optional fetchmail_6.5.6.orig.tar.xz
 c9f16f12895b467ce006aa5a5b111a69 833 mail optional fetchmail_6.5.6.orig.tar.xz.asc
 ebff8165492b80fd3e98db88ab3643a3 53960 mail optional fetchmail_6.5.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmjgI70ACgkQ3OMQ54ZM
yL/6wA/8CuJt1EF6RrRDeoFdHp6cmP0wTNYTWwLFACHiBewjzbHoCxOacvAET1YY
rnOSpmDE4NwZAKF34qSoGml8uLQ0+xm+GWz9GPjve3FWEpjzVHWOGuRtO/3j3WKK
YLQBmPiPkxb95Pjfmssr9phs+esDYxFJ1cFdVkG98RSJ+VNpulMBTDFUofc7XBK2
PH/cjxWghBeXCp8ClUc1DHOKSDyI/e1JOM0Oy45EJrpzewnlbZBFdRMyELB0BO+A
lKwHTdY7wjC4dH88Hxg+PfyAk5bNSBN1uFFblNz2W3SxT/ldwjN+vWFwtOQz+GCE
JF3AEhs0dZH92KokDPNEBVuMBXsX88FlO7j80BanxLAqfZSVF5NRUXjD3oJ+fbaC
8HqhpHvqD1yrUujSU2iAKuK2Xub/yFLx3M0bIVqWA9fDXwLYf7byx+TDbEO/Uftk
/17P8jw9QVK7fec2DFOXL2Tkj7Ng3DcHIPxYwPp3OicFc/CYwT61pXfxWM2ayt/Q
yNUovKwCO4xZ0snLeZ9vCIvqcm4AX0NHADyPATkIt7f2HmtPTuu+59PsR37bdvV2
RpU8+bxD1UZc7Q4h5ekFrHn5EOtOX/mfotVNnY7fs37R50XjcPgwazUMMeqm51Z9
ZPFwmDigl3KggKjn1DAhod3/8RsQth8ImovU6xec3PC/REVOl7A=
=IRMT
-----END PGP SIGNATURE-----
#1117136#26
Date:
2025-10-03 20:51:43 UTC
From:
To:
László,

sorry, hadn't seen activity on fetchmail in a long time.

My apologies to you for my false statement about your status, and thanks
for the prompt upload.

I'd found the bug only yesterday (after checking fetchmail's SMTP AUTH
code when I saw the mutt 2.2.15 release announcement that added a
workaround for Microsoft-ish not-quite-RFC-complient SASL).

Regarding the older releases (6.4.X), I have a patch linked in my
original bug report, or you can review the 2025-10-03 patches from
<https://gitlab.com/fetchmail/fetchmail/-/commits/legacy_64?ref_type=heads>
and see what you'll need. I suppose the prototype/C23 changes are
irrelevant for now.

Canonical workaround for C23 incompatibilites (that might disable
DNS-related options) if someone compiles with a compiler (GCC15)
defaulting to C23 is avoiding just that and using -std=gnu17 or -std=c17
instead.

Cheers,
Matthias