aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--fetchmail-SA-2007-02.txt72
1 files changed, 59 insertions, 13 deletions
diff --git a/fetchmail-SA-2007-02.txt b/fetchmail-SA-2007-02.txt
index 03affd77..74fc5558 100644
--- a/fetchmail-SA-2007-02.txt
+++ b/fetchmail-SA-2007-02.txt
@@ -1,21 +1,24 @@
-fetchmail-SA-2007-02: Crash when local warning message is rejected
+fetchmail-SA-2007-02: Crash when a local warning message is rejected
-Topics: Crash when fetchmail-generated warning message is rejected
+Topics: Crash when a fetchmail-generated warning message is rejected
Author: Matthias Andree
-Version: 1.0
-Announced: 2007-07-29
+Version: 1.1
+Announced: 2007-08-28
Type: NULL pointer dereference trigged by outside circumstances
Impact: denial of service possible
Danger: low
+CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
+
Credits: Earl Chew
CVE Name: CVE-2007-4565
URL: http://fetchmail.berlios.de/fetchmail-SA-2007-02.txt
Project URL: http://fetchmail.berlios.de/
-Affects: fetchmail release < 6.3.9
+Affects: fetchmail release < 6.3.9 exclusively
-Not affected: fetchmail release 6.3.9 (not yet available)
+Not affected: fetchmail release 6.3.9 and newer
+ fetchmail releases < 4.6.8 exclusively
Corrected: 2007-07-29 fetchmail SVN (rev 5119)
@@ -24,6 +27,7 @@ Corrected: 2007-07-29 fetchmail SVN (rev 5119)
==================
2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN)
+2007-08-28 1.1 reworked, added fix, official release
1. Background
@@ -41,19 +45,42 @@ control) files for fetchmail.
2. Problem description and Impact
=================================
-fetchmail will generated warning messages to the local postmaster or user in
-certain circumstances, for instance when authentication fails.
+fetchmail will generate warning messages in certain circumstances and
+send them to the local postmaster or the user starting it. Such warning
+messages can be generated, for instance, if logging into an upstream
+server fails repeatedly or if messages beyond the size limit (if
+configured, default: no limit) are left on the server.
-If this warning message is refused by the SMTP listener that fetchmail is
-talking to, fetchmail attempts to dereference a NULL pointer when trying to find
-out if it should allow a bounce message to be sent.
+If this warning message is then refused by the SMTP listener that
+fetchmail is forwarding the message to, fetchmail attempts to
+dereference a NULL pointer when trying to find out if it should allow a
+bounce message to be sent.
+
+This causes fetchmail to crash and not collect further messages until it
+is restarted.
+
+Risk assessment: low. In default configuration, fetchmail will talk
+through the loopback interface, that is to the SMTP listener on the same
+computer as it is running on. Otherwise, it will commonly be configured
+to talk to trusted SMTP servers, so a compromise of misconfiguration of
+a trusted or the same computer is required to exploit this problem -
+which usually opens up much easier ways of denying service, or worse.
3. Solution
===========
-Install fetchmail 6.3.9 or newer. The fetchmail source code is available from
-<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+There are two alternatives, either of them by itself is sufficient:
+
+a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
+ recompile and reinstall it.
+
+b. Install fetchmail 6.3.9 or newer when it becomes available. The
+ fetchmail source code is available from
+ <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+Note there are no workarounds presented here since all known workarounds
+are more intrusive than the actual solution.
A. Copyright, License and Warranty
@@ -71,4 +98,23 @@ Stanford, California 94305; USA.
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
+
+
+B. Patch to remedy the problem
+==============================
+
+Index: sink.c
+===================================================================
+--- sink.c (revision 5118)
++++ sink.c (revision 5119)
+@@ -262,7 +262,7 @@
+ const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
+
+ /* don't bounce in reply to undeliverable bounces */
+- if (!msg->return_path[0] ||
++ if (!msg || !msg->return_path[0] ||
+ strcmp(msg->return_path, "<>") == 0 ||
+ strcasecmp(msg->return_path, md1) == 0 ||
+ strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
+
END OF fetchmail-SA-2007-02.txt
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-04 07:26:39 +0000