diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2008-06-13 16:20:49 +0000 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2008-06-13 16:20:49 +0000 |
| commit | 99113547e733f876cc2f8dfbe8412ed7e082d479 (patch) | |
| tree | ddf9fbff3262a8a25a8cbcea49fb605f64e1f4e9 | |
| parent | 592f3edea03f19d8c682d9f3d9c4c05028c15a77 (diff) | |
| download | fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.tar.gz fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.tar.bz2 fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.zip | |
Fix Novell Bug #354291, fetchmail crashes in -v -v mode when logging long To:
headers (in excess of 2048 bytes).
svn path=/branches/BRANCH_6-3/; revision=5193
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | fetchmail-SA-2008-01.txt | 148 | ||||
| -rw-r--r-- | report.c | 9 |
3 files changed, 163 insertions, 2 deletions
@@ -54,6 +54,14 @@ fetchmail 6.3.9 (not yet released): This bug was apparently introduced on 1998-11-27 when the bouncemail facility was modularized. The bug then made its appearance in fetchmail release 4.6.8. See also fetchmail-SA-2007-02.txt. +* CVE-2008-XXXX: Denial of service: When fetchmail logs data blobs + (for instance, a To: header in -v -v verbose mode) in excess of 2048 + bytes, it will crash, because it hands an uninitialized argument + pointer (not the format string though) to vsnprintf and reads a + random memory location (it calls va_arg() too often without + resetting it with va_start()). Based on a patch by Petr Uzel, fixes + Novell Bug #354291. + See also fetchmail-SA-2008-01.txt. # CRITICAL BUG FIX: * When expunging, mark the right messages as seen to avoid message loss in "keep diff --git a/fetchmail-SA-2008-01.txt b/fetchmail-SA-2008-01.txt new file mode 100644 index 00000000..95c12eda --- /dev/null +++ b/fetchmail-SA-2008-01.txt @@ -0,0 +1,148 @@ +fetchmail-SA-2008-01: Crash on large log messages in verbose mode + +Topics: Crash in large log messages in verbose mode. + +Author: Matthias Andree +Version: 1.0 +Announced: +Type: Dereferencing garbage pointer trigged by outside circumstances +Impact: denial of service possible +Danger: low +CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C) + +Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report) +CVE Name: XXX +URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt +Project URL: http://www.fetchmail.info/ + +Affects: fetchmail release < 6.3.9 exclusively + +Not affected: fetchmail release 6.3.9 and newer + systems without varargs (stdargs.h) support. + +Corrected: 2008-06-13 fetchmail SVN (rev XXX) + +References: <https://bugzilla.novell.com/show_bug.cgi?id=354291> + <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824> + +0. Release history +================== + +2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN) + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +Gunter Nau reported fetchmail crashing on some messages; further +debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic +dug up that this happened when fetchmail was trying to print, in -v -v +verbose level, headers exceeding 2048 bytes. In this situation, +fetchmail would resize the buffer and fill in further parts of the +message, but forget to reinitialize its va_list typed source pointer, +thus reading data from a garbage address found on the stack at +addresses above the function arguments the caller passed in; usually +that would be the caller's stack frame. + +It is unknown whether code can be injected remotely, but given that +the segmentation fault is caused by read accesses, the relevant data +is not under the remote attacker's control and no buffer overrun +situation is present that would allow altering program /flow/, it is +deemed rather unlikely that code can be injected. + +Note that the required -vv configuration at hand is both non-default +and also not common in automated (cron job) setups, but usually used +in manual debugging, so not many systems would be affected by the +problem. Nonetheless, in vulnerable configurations, it is remotely +exploitable to effect a denial of service attack. + + + +3. Solution +=========== + +There are two alternatives, either of them by itself is sufficient: + +a. Apply the patch found in section B of this announcement to + fetchmail 6.3.8, recompile and reinstall it. + +b. Install fetchmail 6.3.9 or newer when it becomes available. The + fetchmail source code is available from + <http://developer.berlios.de/project/showfiles.php?group_id=1824>. + + +4. Workaround +============= + +Run fetchmail at low verbosity, avoid using two or three -v arguments; +internal messages are short and do not contain external message +sources so they do not cause buffer resizing. It is recommended to +replace the vulnerable code by a fixed version (see previous +section 3. Solution) as soon as reasonably possible. + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>. +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + + + +B. Patch to remedy the problem +============================== + +diff --git a/report.c b/report.c +index 31d4e48..2a731ac 100644 +--- a/report.c ++++ b/report.c +@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist) + rep_ensuresize(); + + #if defined(VA_START) +- VA_START (args, message); + for ( ; ; ) + { ++ /* ++ * args has to be initialized before every call of vsnprintf(), ++ * because vsnprintf() invokes va_arg macro and thus args is ++ * undefined after the call. ++ */ ++ VA_START(args, message); + n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, + message, args); ++ va_end (args); + + if (n >= 0 + && (unsigned)n < partial_message_size - partial_message_size_used) +@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist) + partial_message_size += 2048; + partial_message = REALLOC (partial_message, partial_message_size); + } +- va_end (args); + #else + for ( ; ; ) + { + +END OF fetchmail-SA-2008-01.txt @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist) rep_ensuresize(); #if defined(VA_START) - VA_START (args, message); for ( ; ; ) { + /* + * args has to be initialized before every call of vsnprintf(), + * because vsnprintf() invokes va_arg macro and thus args is + * undefined after the call. + */ + VA_START(args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end (args); if (n >= 0 && (unsigned)n < partial_message_size - partial_message_size_used) @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist) partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - va_end (args); #else for ( ; ; ) { |