aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2010-01.txt
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2010-02-05 01:06:08 +0000
committerMatthias Andree <matthias.andree@gmx.de>2010-02-05 01:06:08 +0000
commit8209860428405ca97e51dad4d91c3624893ad227 (patch)
treeb387fb7191b69dd554dc85be4dc5ddb3deb727fd /fetchmail-SA-2010-01.txt
parent958b996a2dad365a7c23b1488e00d9a2b47232e2 (diff)
downloadfetchmail-8209860428405ca97e51dad4d91c3624893ad227.tar.gz
fetchmail-8209860428405ca97e51dad4d91c3624893ad227.tar.bz2
fetchmail-8209860428405ca97e51dad4d91c3624893ad227.zip
Getting ready for 6.3.14 release.
svn path=/branches/BRANCH_6-3/; revision=5480
Diffstat (limited to 'fetchmail-SA-2010-01.txt')
-rw-r--r--fetchmail-SA-2010-01.txt29
1 files changed, 20 insertions, 9 deletions
diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt
index 7abc2211..ea2b6617 100644
--- a/fetchmail-SA-2010-01.txt
+++ b/fetchmail-SA-2010-01.txt
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
Topics: Heap overrun in verbose SSL certificate information display.
@@ -8,9 +11,8 @@ Announced:
Type: malloc() Buffer overrun with printable characters
Impact: Code injection (difficult).
Danger: low
-CVSSv2 vectors:
-CVE Name:
+CVE Name: to be assigned via oss-security@ list
URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
Project URL: http://www.fetchmail.info/
@@ -19,12 +21,14 @@ Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13
Not affected: fetchmail release 6.3.14 and newer
Corrected: 2010-02-04 fetchmail SVN (r5467)
+ 2010-02-05 fetchmail release 6.3.14
0. Release history
==================
-2010-02-04 0.1 first draft (visible in SVN)
+2010-02-04 0.1 first draft (visible in SVN and through oss-security)
+2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde)
1. Background
@@ -50,14 +54,14 @@ buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.
This might be exploitable to inject code if
-- fetchmail is run in verbose mode
+- - fetchmail is run in verbose mode
AND
-- the host running fetchmail considers char signed
+- - the host running fetchmail considers char signed
AND
-- the server uses malicious certificates with non-printing characters
+- - the server uses malicious certificates with non-printing characters
that have the high bit set
AND
-- these certificates manage to inject shell-code that consists purely of
+- - these certificates manage to inject shell-code that consists purely of
printable characters.
It is believed to be difficult to achieve all this.
@@ -115,16 +119,23 @@ or strip them manually. You may want to use the "-p1" flag to patch.
Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.
---- a/sdump.c
+- --- a/sdump.c
+++ b/sdump.c
@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
if (isprint((unsigned char)in[i])) {
*(oi++) = in[i];
} else {
-- oi += sprintf(oi, "\\x%02X", in[i]);
+- - oi += sprintf(oi, "\\x%02X", in[i]);
+ oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
}
}
*oi = '\0';
END OF fetchmail-SA-2010-01.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.12 (GNU/Linux)
+
+iEYEARECAAYFAktrbs0ACgkQvmGDOQUufZWzMQCg49F/WJiOjGwWZKHHzBcfTgx/
+sLIAmQHPO3mezy3Ku0O29b4AXHL2ZQNb
+=kF7s
+-----END PGP SIGNATURE-----