aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--NEWS8
-rw-r--r--fetchmail-SA-2008-01.txt148
-rw-r--r--report.c9
3 files changed, 163 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 0f5de772..bffec103 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,14 @@ fetchmail 6.3.9 (not yet released):
This bug was apparently introduced on 1998-11-27 when the bouncemail facility
was modularized. The bug then made its appearance in fetchmail release 4.6.8.
See also fetchmail-SA-2007-02.txt.
+* CVE-2008-XXXX: Denial of service: When fetchmail logs data blobs
+ (for instance, a To: header in -v -v verbose mode) in excess of 2048
+ bytes, it will crash, because it hands an uninitialized argument
+ pointer (not the format string though) to vsnprintf and reads a
+ random memory location (it calls va_arg() too often without
+ resetting it with va_start()). Based on a patch by Petr Uzel, fixes
+ Novell Bug #354291.
+ See also fetchmail-SA-2008-01.txt.
# CRITICAL BUG FIX:
* When expunging, mark the right messages as seen to avoid message loss in "keep
diff --git a/fetchmail-SA-2008-01.txt b/fetchmail-SA-2008-01.txt
new file mode 100644
index 00000000..95c12eda
--- /dev/null
+++ b/fetchmail-SA-2008-01.txt
@@ -0,0 +1,148 @@
+fetchmail-SA-2008-01: Crash on large log messages in verbose mode
+
+Topics: Crash in large log messages in verbose mode.
+
+Author: Matthias Andree
+Version: 1.0
+Announced:
+Type: Dereferencing garbage pointer trigged by outside circumstances
+Impact: denial of service possible
+Danger: low
+CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)
+
+Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
+CVE Name: XXX
+URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
+Project URL: http://www.fetchmail.info/
+
+Affects: fetchmail release < 6.3.9 exclusively
+
+Not affected: fetchmail release 6.3.9 and newer
+ systems without varargs (stdargs.h) support.
+
+Corrected: 2008-06-13 fetchmail SVN (rev XXX)
+
+References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>
+ <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
+
+0. Release history
+==================
+
+2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN)
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+Gunter Nau reported fetchmail crashing on some messages; further
+debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
+dug up that this happened when fetchmail was trying to print, in -v -v
+verbose level, headers exceeding 2048 bytes. In this situation,
+fetchmail would resize the buffer and fill in further parts of the
+message, but forget to reinitialize its va_list typed source pointer,
+thus reading data from a garbage address found on the stack at
+addresses above the function arguments the caller passed in; usually
+that would be the caller's stack frame.
+
+It is unknown whether code can be injected remotely, but given that
+the segmentation fault is caused by read accesses, the relevant data
+is not under the remote attacker's control and no buffer overrun
+situation is present that would allow altering program /flow/, it is
+deemed rather unlikely that code can be injected.
+
+Note that the required -vv configuration at hand is both non-default
+and also not common in automated (cron job) setups, but usually used
+in manual debugging, so not many systems would be affected by the
+problem. Nonetheless, in vulnerable configurations, it is remotely
+exploitable to effect a denial of service attack.
+
+
+
+3. Solution
+===========
+
+There are two alternatives, either of them by itself is sufficient:
+
+a. Apply the patch found in section B of this announcement to
+ fetchmail 6.3.8, recompile and reinstall it.
+
+b. Install fetchmail 6.3.9 or newer when it becomes available. The
+ fetchmail source code is available from
+ <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+4. Workaround
+=============
+
+Run fetchmail at low verbosity, avoid using two or three -v arguments;
+internal messages are short and do not contain external message
+sources so they do not cause buffer resizing. It is recommended to
+replace the vulnerable code by a fixed version (see previous
+section 3. Solution) as soon as reasonably possible.
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+
+
+B. Patch to remedy the problem
+==============================
+
+diff --git a/report.c b/report.c
+index 31d4e48..2a731ac 100644
+--- a/report.c
++++ b/report.c
+@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
+ rep_ensuresize();
+
+ #if defined(VA_START)
+- VA_START (args, message);
+ for ( ; ; )
+ {
++ /*
++ * args has to be initialized before every call of vsnprintf(),
++ * because vsnprintf() invokes va_arg macro and thus args is
++ * undefined after the call.
++ */
++ VA_START(args, message);
+ n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
+ message, args);
++ va_end (args);
+
+ if (n >= 0
+ && (unsigned)n < partial_message_size - partial_message_size_used)
+@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
+ partial_message_size += 2048;
+ partial_message = REALLOC (partial_message, partial_message_size);
+ }
+- va_end (args);
+ #else
+ for ( ; ; )
+ {
+
+END OF fetchmail-SA-2008-01.txt
diff --git a/report.c b/report.c
index 31d4e482..2a731acb 100644
--- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
rep_ensuresize();
#if defined(VA_START)
- VA_START (args, message);
for ( ; ; )
{
+ /*
+ * args has to be initialized before every call of vsnprintf(),
+ * because vsnprintf() invokes va_arg macro and thus args is
+ * undefined after the call.
+ */
+ VA_START(args, message);
n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
message, args);
+ va_end (args);
if (n >= 0
&& (unsigned)n < partial_message_size - partial_message_size_used)
@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
partial_message_size += 2048;
partial_message = REALLOC (partial_message, partial_message_size);
}
- va_end (args);
#else
for ( ; ; )
{