aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2012-08-13 21:23:41 +0200
committerMatthias Andree <matthias.andree@gmx.de>2012-08-13 21:23:41 +0200
commitf1c0ba89205211f7f723ca81c0130dde30dca336 (patch)
treec01c306af775cbc3a57c6d527a8dc773eef78ded
parentc5f27176c54910a45ea469cae07952b98a7b197e (diff)
downloadfetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.gz
fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.bz2
fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.zip
Document fix for NTLM crash, + Security advisory (draft).
-rw-r--r--Makefile.am1
-rw-r--r--NEWS9
-rw-r--r--fetchmail-SA-2012-02.txt100
3 files changed, 109 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index 09352abf..8c34c75f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -135,6 +135,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \
README.packaging README.SSL-SERVER \
fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \
Mailbox-Names-UTF7.txt Mailbox-Names-UTF7.html \
+ fetchmail-SA-2012-02.txt \
fetchmail-SA-2012-01.txt \
fetchmail-SA-2011-01.txt \
fetchmail-EN-2010-03.txt \
diff --git a/NEWS b/NEWS
index cb6e5d14..3ee8d85b 100644
--- a/NEWS
+++ b/NEWS
@@ -58,7 +58,14 @@ removed from a 6.4.0 or newer release.)
fetchmail-6.3.22 (not yet released):
-# SECURITY FIX
+# SECURITY FIXES
+* CVE-2012-(not yet assigned):
+ NTLM: fetchmail mistook an error message that the server sent in response to
+ an NTLM request for protocol exchange, tried to decode it, and crashed while
+ reading from a bad memory location.
+ Fix: Detect base64 decoding errors and abort NTLM authentication.
+ See fetchmail-SA-2012-02.txt for further details.
+ Reported by J. Porter Clark.
* CVE-2011-3389:
SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
against a certain kind of attack against cipher block chaining initialization
diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt
new file mode 100644
index 00000000..d712ab37
--- /dev/null
+++ b/fetchmail-SA-2012-02.txt
@@ -0,0 +1,100 @@
+fetchmail-SA-2012-01: DoS possible with NTLM authentication in debug mode
+
+Topics: fetchmail denial of service in NTLM protocol phase
+
+Author: Matthias Andree
+Version: draft
+Announced: 2012-08-13
+Type: crash while reading from bad memory location
+Impact: fetchmail segfaults and aborts, stalling inbound mail
+Danger: low
+Acknowledgment: J. Porter Clark
+
+CVE Name: (TBD)
+URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
+Project URL: http://www.fetchmail.info/
+
+Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
+ when compiled with NTLM support enabled
+
+Not affected: - fetchmail releases compiled with NTLM support disabled
+ - fetchmail releases 6.3.22 and newer
+
+Corrected in: 2012-08-13 Git, among others, see commit
+ 3fbc7cd331602c76f882d1b507cd05c1d824ba8b
+
+ 2012-08-xx fetchmail 6.3.22 release tarball
+
+
+0. Release history
+==================
+
+2012-08-13 0.1 draft
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
+authentication request, but never checked if the received response was
+NTLM protocol exchange, or a server-side error message. Instead,
+fetchmail tried to decode the error message as though it were
+base64-encoded protocol exchange, and could then segfault depending of
+buffer contents, while reading data from bad memory locations.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.3.22 or newer.
+
+The fetchmail source code is always available from
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+Distributors are encouraged to review the NEWS file and move forward to
+6.3.22, rather than backport individual security fixes, because doing so
+routinely misses other fixes crucial to fetchmail's proper operation,
+for which no security announcements are issued, or documentation.
+
+Fetchmail 6.3.X releases have always been made with a focus on unchanged
+user and program interfaces so as to avoid disruptions when upgrading
+from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
+interface incompatibly.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2012-02