Security fix for sdump() (X.509 cert display in verbose mode).

svn path=/branches/BRANCH_6-3/; revision=5467

4 files changed, 138 insertions, 1 deletions

diff --git a/Makefile.am b/Makefile.am
index cb899f00..7c277226 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -126,6 +126,7 @@ DISTDOCS=	FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \
 		fetchmail-features.html README.SSL README.NTLM \
 		README.packaging README.SSL-SERVER \
 		fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \
+		fetchmail-SA-2010-01.txt \
 		fetchmail-SA-2009-01.txt \
 		fetchmail-SA-2008-01.txt \
 		fetchmail-SA-2007-02.txt \
diff --git a/NEWS b/NEWS
index 4f057990..91535bd5 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,12 @@ removed from a 6.4.0 or newer release.)
 
 fetchmail 6.3.14 (not yet released):
 
+# SECURITY FIXES
+* SSL/TLS certificate information is now also reported properly on computers
+  that consider the "char" type signed. Fixes malloc() buffer overrun.
+  Workaround for older versions: do not use verbose mode.
+  See fetchmail-SA-2010-01.txt for details, including a minimal patch.
+
 # BUG FIXES
 * The IMAP client no longer skips messages from several IMAP servers including
   Dovecot if fetchmail's "idle" is in use.  Causes were that fetchmail (a)
diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt
new file mode 100644
index 00000000..53168349
--- /dev/null
+++ b/fetchmail-SA-2010-01.txt
@@ -0,0 +1,130 @@
+fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
+
+Topics:		Heap overrun in verbose SSL certificate information display.
+
+Author:		Matthias Andree
+Version:	1.0
+Announced:
+Type:		malloc() Buffer overrun with printable characters
+Impact:		Code injection (difficult).
+Danger:		low
+CVSSv2 vectors:
+
+CVE Name:
+URL:		http://www.fetchmail.info/fetchmail-SA-2010-01.txt
+Project URL:	http://www.fetchmail.info/
+
+Affects:	fetchmail releases 6.3.11, 6.3.12, and 6.3.13
+
+Not affected:	fetchmail release 6.3.14 and newer
+
+Corrected:	2010-02-04 fetchmail SVN (r5467)
+
+
+0. Release history
+==================
+
+2010-02-04 0.1	first draft (visible in SVN)
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. It supports SSL and TLS security layers through
+the OpenSSL library, if enabled at compile time and if also enabled at
+run time.
+
+
+2. Problem description and Impact
+=================================
+
+In verbose mode, fetchmail prints X.509 certificate subject and issuer
+information to the user, and counts and allocates a malloc() buffer for
+that purpose.
+
+If the material to be displayed contains characters with high bit set
+and the platform treats the "char" type as signed, this can cause a heap
+buffer overrun because non-printing characters are escaped as
+\xFF..FFnn, where nn is 80..FF in hex.
+
+This might be exploitable to inject code if
+- fetchmail is run in verbose mode
+AND
+- the host running fetchmail considers char unsigned
+AND
+- the server uses malicious certificates with non-printing characters
+  that have the high bit set
+AND
+- these certificates manage to inject shell-code that consists purely of
+  printable characters.
+
+It is believed to be difficult to achieve all this.
+
+
+3. Solution
+===========
+
+There are two alternatives, either of them by itself is sufficient:
+
+a. Apply the patch found in section B of this announcement to
+   fetchmail 6.3.13, recompile and reinstall it.
+
+b. Install fetchmail 6.3.14 or newer after it will have become available.
+   The fetchmail source code is always available from
+   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+4. Workaround
+=============
+
+Run fetchmail without and verbose options.
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+
+Creative Commons
+171 Second Street
+Suite 300
+SAN FRANCISCO, CALIFORNIA 94105
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+
+B. Patch to remedy the problem
+==============================
+
+Note that when taking this from a GnuPG clearsigned file, the lines
+starting with a "-" character are prefixed by another "- " (dash +
+blank) combination. Either feed this file through GnuPG to strip them,
+or strip them manually. You may want to use the "-p1" flag to patch.
+
+Whitespace differences can usually be ignored by invoking "patch -l",
+so try this if the patch does not apply.
+
+--- a/sdump.c
++++ b/sdump.c
+@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
+ 	if (isprint((unsigned char)in[i])) {
+ 	    *(oi++) = in[i];
+ 	} else {
+-	    oi += sprintf(oi, "\\x%02X", in[i]);
++	    oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
+ 	}
+     }
+     *oi = '\0';
+
+END OF fetchmail-SA-2010-01.txt
diff --git a/sdump.c b/sdump.c
index 6edf0a66..3748672a 100644
--- a/sdump.c
+++ b/sdump.c
@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
 	if (isprint((unsigned char)in[i])) {
 	    *(oi++) = in[i];
 	} else {
-	    oi += sprintf(oi, "\\x%02X", in[i]);
+	    oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
 	}
     }
     *oi = '\0';