aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fetchmail-SA-2021-01.txt62
1 files changed, 40 insertions, 22 deletions
diff --git a/fetchmail-SA-2021-01.txt b/fetchmail-SA-2021-01.txt
index 2a5ca262..3ad2b47e 100644
--- a/fetchmail-SA-2021-01.txt
+++ b/fetchmail-SA-2021-01.txt
@@ -6,8 +6,8 @@ fetchmail-SA-2021-01: DoS or information disclosure logging long messages
Topics: fetchmail denial of service or information disclosure when logging long messages
Author: Matthias Andree
-Version: 1.2
-Announced: 2021-07-28 (original), 2021-08-03 (last update)
+Version: 1.3
+Announced: 2021-07-28 (original), 2021-08-09 (last update)
Type: missing variable initialization can cause read from bad memory
locations
Impact: fetchmail logs random information, or segfaults and aborts,
@@ -23,15 +23,18 @@ Project URL: https://www.fetchmail.info/
Affects: - fetchmail releases up to and including 6.3.8
- fetchmail releases 6.3.17 up to incl. 6.4.19
+ (but note 6.4.20 regresses for buffered output,
+ f.i. with --logfile)
-Not affected: - fetchmail releases 6.4.20 and newer
+Not affected: - fetchmail releases 6.4.21 and newer
+ (fetchmail 6.4.20 fixes the immediate bug but regresses
+ and causes message truncation on buffered output)
- fetchmail releases 6.3.9 to 6.3.16
-Corrected in: c546c829 Git commit hash
- 2021-07-28 fetchmail 6.4.20 release tarball
+Corrected in: c546c829 + d3db2da1 Git commit hash (both needed)
+ 2021-08-09 fetchmail 6.4.21 release tarball
2021-08-03 7.0.0-alpha9/6.5.0-beta4 snapshots
-
0. Release history
==================
@@ -39,6 +42,7 @@ Corrected in: c546c829 Git commit hash
2021-07-28 1.0 release
2021-07-28 1.1 update Git commit hash with correction
2021-08-03 1.2 add references to CVE-2008-2711/fetchmail-SA-2008-01
+2021-08-09 1.3 mention buffered logging regression (--logfile)
1. Background
@@ -71,7 +75,7 @@ some systems log literally "(null)", some systems trigger SIGSEGV (signal
#11), which crashes fetchmail, causing a denial of service on fetchmail's end.
The same bug then named CVE-2008-2711 had already been fixed in fetchmail 6.3.9,
-but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010)
+but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010)
reintroduced the bug.
Fetchmail versions 6.4.19 and older are no longer supported, however.
@@ -81,17 +85,31 @@ The bugfix used in 6.4.20 uses a different, more thorough, approach.
3. Solution
===========
-Install fetchmail 6.4.20 or newer.
+Install fetchmail 6.4.21 or newer.
The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.
Distributors are encouraged to review the NEWS file and move forward to
-6.4.20, rather than backport individual security fixes, because doing so
+6.4.21, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation,
or translation updates.
+The regression fix for the new non-security bug in 6.4.20 that causes
+log message truncation simply consists of editing report.c to rotate lines 289
+through 291, such that the /corrected/ report.c then looks like this:
+
+ 286 n = snprintf (partial_message + partial_message_size_used,
+ 287 partial_message_size - partial_message_size_used,
+ 288 message, a1, a2, a3, a4, a5, a6, a7, a8);
+ 289
+ 290 if (n > 0) partial_message_size_used += n;
+ 291 #endif
+ 292
+ 293 if (unbuffered && partial_message_size_used != 0)
+
+
Fetchmail 6.4.X releases have been made with a focus on unchanged user and
program interfaces so as to avoid disruptions when upgrading from 6.3.Z or
6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface
@@ -114,17 +132,17 @@ Use the information herein at your own risk.
END of fetchmail-SA-2021-01
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEJW1kACgkQ5BKxVu/z
-hVrcow//VOWtxFhC1H/BSUsyrx4n+vXJjpBxgu9uK/1RlA7//Bldh8y7X6XgfeBp
-yEKwW71ecdLv4GAzDYoQ5ejrIWwjwkP4hOpFFrXBfv542qgUNIBXCJIkm8Ws4bF2
-IjWWfHqHrvQLaxdZ9R00GPr+3cKsc8OHjkq2tX23uBBgQ4xPn/Q6veBbm/Ok9lUn
-Oge7ffn4eiHZ1d04sH/SyB6raEQuXyCAYVT1a2BBPiMUwsKBDj/LF7OtBrpRbdr9
-Sc1McL99w1lE85j1BI8xRFCmx+FuK2QQBfi1zst99b3IV+MYRC2vuowieMdzy37M
-Wf6TtVWwWoZdxrRG0LIok43Kn4pklrFA67Wk4vCepxULOvlMPUsiCsv5TBJOdq2I
-oLXpquSYz20BxyS3OxS2uu5WgD9IWMOJIn7ZoA8GqHLgSvClmD11njvQJq7bCUNu
-SP6DC+WWbwoWM1oYZS2IHVccIh/rMvu2nptRz6adVASMebnY7rZCveN0YmcSXBUU
-RbCW1cav1VO+BPvlV3AIX6VEjv7q9s839AieLTCkdar7LKf/ktKXQlNAtqbnPW5Q
-O7ujhs+VvjlB7IfjhnoF77tu5NDtktTGgyW37XQPPLwpgpyvEyEWmzvB4hoxrWfV
-+WNNfwmc6sUEs4hzgBmgtaX2exBvWscKk5xe5ks5ULRLJLZ9PnY=
-=NnuJ
+iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERUo4ACgkQ5BKxVu/z
+hVrq4RAAnvtDbwEvjSEWFVvmZTG7qcrOxAs1SCb+dp33PKy8EPfzE3vjCHEsrwRv
+XjX6dKWK61wG7+7kGUyeNlBXASWso2BSR9TypRVi2PXK5aKUgSi0qs0eGpR11jnx
+QN9b96rklFb6odJVua/PwWKUG6vBILX1o8DgvoMX4B5S7LipgD/gecuqQyD0t0l5
+TSyJZRaU763B7c4sZjuEwXtfqA49AbBSICq7qAbOa5R695ZelDvFgV3HHCoJIZqN
+W2gMtsfCDboyViDf5jHllnbUmAl4bPCHOOcC53zfsESL37/pNYxgAsY2RHyWyhbU
+yqVNH/0XTA5UxjN3i81mPbIo0oPI1Yejsbk+V73bI8hBaDtwqZ3BtU/gRYN5ODQi
+w2DokSJ5cju7mDX4Ua05ee5n7U3291SJIc/XiMRDh2FauRM1JF2TeLwtgN0iwLM/
+OxZZSjtLrb/X2noBa3jRbJ5sho94mw/suW5jyuVAxKZzJCzgp45f7AeuqtvzYi1X
+0TWLwQCEjoPBAySpdi36AZmJfiY2gfFgVSXlE5Piekg4n/QRRn+Qt9227WKJKkH2
+IwTqDIBkvjHXMnmNZTHLf28kKesF0BfYMpo9kDn+Cg4Gln4r0T4zRBB8HwljWfnx
+j/4EAI+Nl9NpZ+xZFJe3YBJeOsXpSc+MAqK6tNWK4sKDCzHtnVU=
+=NnPX
-----END PGP SIGNATURE-----