diff options
-rw-r--r-- | fetchmail-SA-2010-02.txt | 72 |
1 files changed, 44 insertions, 28 deletions
diff --git a/fetchmail-SA-2010-02.txt b/fetchmail-SA-2010-02.txt index d7bf9b3a..7d5c0bac 100644 --- a/fetchmail-SA-2010-02.txt +++ b/fetchmail-SA-2010-02.txt @@ -1,18 +1,21 @@ -- DRAFT - XXX - DRAFT - +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales -Topics: Denial of service in debug output. +Topics: Denial of service in debug output Author: Matthias Andree -Version: 0.4 XXX -Announced: XXX -Type: Unbounded allocation of memory until exhaustion. -Impact: Denial of service. +Version: 1.0 +Announced: 2010-05-06 +Type: Unbounded allocation of memory until exhaustion +Impact: Denial of service Danger: low CVE Name: CVE-2010-1167 -CVSSv2: XXX +CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C) +CVSS scores: 3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2 + This is calculated without Environmental Score. URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt Project URL: http://www.fetchmail.info/ @@ -20,7 +23,13 @@ Affects: fetchmail releases 4.6.3 up to and including 6.3.16 Not affected: fetchmail release 6.3.17 and newer -Corrected: 2010-04-24 Git (XXX) +Corrected: 2010-04-24 Git, required commits: + 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3 + ec06293134b85876f9201d8a52b844c41581b2b3 + + 2010-04-30 fetchmail 6.3.17-pre1 tarball + + 2010-05-06 fetchmail 6.3.17 release tarball 0. Release history @@ -28,10 +37,10 @@ Corrected: 2010-04-24 Git (XXX) 2010-04-18 0.1 first draft (visible in SVN and through oss-security) 2010-04-19 0.2 add note announcements may appear before releases -2010-04-20 0.3 add CVE name, fix Type: -2010-04-24 0.4 revise patch -2010-04-29 0.5 add info on contributing/mitigating factors -XXX +2010-04-20 0.3 add CVE name, fix Type: +2010-04-24 0.4 revise patch +2010-04-29 0.5 add info on contributing/mitigating factors +2010-06-05 1.0 complete 1. Background @@ -125,7 +134,7 @@ so try this if the patch does not apply. diff --git a/rfc822.c b/rfc822.c index 6f2dbf3..dbcda32 100644 ---- a/rfc822.c +- --- a/rfc822.c +++ b/rfc822.c @@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator. #include <stdlib.h> @@ -139,9 +148,9 @@ index 6f2dbf3..dbcda32 100644 } #ifndef MAIN -- if (outlevel >= O_DEBUG) -- report_build(stdout, GT_("About to rewrite %.*s...\n"), -- (int)BEFORE_EOL(buf), buf); +- - if (outlevel >= O_DEBUG) +- - report_build(stdout, GT_("About to rewrite %.*s...\n"), +- - (int)BEFORE_EOL(buf), buf); + if (outlevel >= O_DEBUG) { + report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf)))); + xfree(cp); @@ -153,9 +162,9 @@ index 6f2dbf3..dbcda32 100644 } #ifndef MAIN -- if (outlevel >= O_DEBUG) -- report_complete(stdout, GT_("...rewritten version is %.*s.\n"), -- (int)BEFORE_EOL(buf), buf); +- - if (outlevel >= O_DEBUG) +- - report_complete(stdout, GT_("...rewritten version is %.*s.\n"), +- - (int)BEFORE_EOL(buf), buf); + if (outlevel >= O_DEBUG) { + report_complete(stdout, GT_("...rewritten version is %s.\n"), + (cp = sdump(buf, BEFORE_EOL(buf)))); @@ -167,7 +176,7 @@ index 6f2dbf3..dbcda32 100644 return(buf); diff --git a/uid.c b/uid.c index fdc6f5d..9a62ee2 100644 ---- a/uid.c +- --- a/uid.c +++ b/uid.c @@ -20,6 +20,7 @@ @@ -181,8 +190,8 @@ index fdc6f5d..9a62ee2 100644 { report_build(stdout, GT_("Old UID list from %s:"), ctl->server.pollname); -- for (idp = ctl->oldsaved; idp; idp = idp->next) -- report_build(stdout, " %s", idp->id); +- - for (idp = ctl->oldsaved; idp; idp = idp->next) +- - report_build(stdout, " %s", idp->id); + for (idp = ctl->oldsaved; idp; idp = idp->next) { + char *t = sdump(idp->id, strlen(idp->id)); + report_build(stdout, " %s", t); @@ -195,8 +204,8 @@ index fdc6f5d..9a62ee2 100644 if (uidlcount) { report_build(stdout, GT_("Scratch list of UIDs:")); -- for (idp = scratchlist; idp; idp = idp->next) -- report_build(stdout, " %s", idp->id); +- - for (idp = scratchlist; idp; idp = idp->next) +- - report_build(stdout, " %s", idp->id); + for (idp = scratchlist; idp; idp = idp->next) { + char *t = sdump(idp->id, strlen(idp->id)); + report_build(stdout, " %s", t); @@ -209,8 +218,8 @@ index fdc6f5d..9a62ee2 100644 report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); else report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname); -- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) -- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); +- - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) +- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); + for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) { + char *t = sdump(idp->id, strlen(idp->id)); + report_build(stdout, " %s = %d", t, idp->val.status.mark); @@ -223,8 +232,8 @@ index fdc6f5d..9a62ee2 100644 /* this is now a merged list! the mails which were seen in this * poll are marked here. */ report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname); -- for (idp = ctl->oldsaved; idp; idp = idp->next) -- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); +- - for (idp = ctl->oldsaved; idp; idp = idp->next) +- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark); + for (idp = ctl->oldsaved; idp; idp = idp->next) { + char *t = sdump(idp->id, strlen(idp->id)); + report_build(stdout, " %s = %d", t, idp->val.status.mark); @@ -233,3 +242,10 @@ index fdc6f5d..9a62ee2 100644 if (!idp) report_build(stdout, GT_(" <empty>")); report_complete(stdout, "\n"); +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.12 (GNU/Linux) + +iEYEARECAAYFAkvicswACgkQvmGDOQUufZVq9wCg9j3yrW+aMQs9kMh5mTT8xPO0 +w+MAoJm8g5AlDCwoi2jdmziqlO7/zBxx +=WEJ3 +-----END PGP SIGNATURE----- |