aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fetchmail-SA-2010-02.txt72
1 files changed, 44 insertions, 28 deletions
diff --git a/fetchmail-SA-2010-02.txt b/fetchmail-SA-2010-02.txt
index d7bf9b3a..7d5c0bac 100644
--- a/fetchmail-SA-2010-02.txt
+++ b/fetchmail-SA-2010-02.txt
@@ -1,18 +1,21 @@
-- DRAFT - XXX - DRAFT -
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
-Topics: Denial of service in debug output.
+Topics: Denial of service in debug output
Author: Matthias Andree
-Version: 0.4 XXX
-Announced: XXX
-Type: Unbounded allocation of memory until exhaustion.
-Impact: Denial of service.
+Version: 1.0
+Announced: 2010-05-06
+Type: Unbounded allocation of memory until exhaustion
+Impact: Denial of service
Danger: low
CVE Name: CVE-2010-1167
-CVSSv2: XXX
+CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C)
+CVSS scores: 3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2
+ This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
Project URL: http://www.fetchmail.info/
@@ -20,7 +23,13 @@ Affects: fetchmail releases 4.6.3 up to and including 6.3.16
Not affected: fetchmail release 6.3.17 and newer
-Corrected: 2010-04-24 Git (XXX)
+Corrected: 2010-04-24 Git, required commits:
+ 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3
+ ec06293134b85876f9201d8a52b844c41581b2b3
+
+ 2010-04-30 fetchmail 6.3.17-pre1 tarball
+
+ 2010-05-06 fetchmail 6.3.17 release tarball
0. Release history
@@ -28,10 +37,10 @@ Corrected: 2010-04-24 Git (XXX)
2010-04-18 0.1 first draft (visible in SVN and through oss-security)
2010-04-19 0.2 add note announcements may appear before releases
-2010-04-20 0.3 add CVE name, fix Type:
-2010-04-24 0.4 revise patch
-2010-04-29 0.5 add info on contributing/mitigating factors
-XXX
+2010-04-20 0.3 add CVE name, fix Type:
+2010-04-24 0.4 revise patch
+2010-04-29 0.5 add info on contributing/mitigating factors
+2010-06-05 1.0 complete
1. Background
@@ -125,7 +134,7 @@ so try this if the patch does not apply.
diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
---- a/rfc822.c
+- --- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
#include <stdlib.h>
@@ -139,9 +148,9 @@ index 6f2dbf3..dbcda32 100644
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_build(stdout, GT_("About to rewrite %.*s...\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_build(stdout, GT_("About to rewrite %.*s...\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
+ xfree(cp);
@@ -153,9 +162,9 @@ index 6f2dbf3..dbcda32 100644
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_complete(stdout, GT_("...rewritten version is %s.\n"),
+ (cp = sdump(buf, BEFORE_EOL(buf))));
@@ -167,7 +176,7 @@ index 6f2dbf3..dbcda32 100644
return(buf);
diff --git a/uid.c b/uid.c
index fdc6f5d..9a62ee2 100644
---- a/uid.c
+- --- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
@@ -181,8 +190,8 @@ index fdc6f5d..9a62ee2 100644
{
report_build(stdout, GT_("Old UID list from %s:"),
ctl->server.pollname);
-- for (idp = ctl->oldsaved; idp; idp = idp->next)
-- report_build(stdout, " %s", idp->id);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s", t);
@@ -195,8 +204,8 @@ index fdc6f5d..9a62ee2 100644
if (uidlcount)
{
report_build(stdout, GT_("Scratch list of UIDs:"));
-- for (idp = scratchlist; idp; idp = idp->next)
-- report_build(stdout, " %s", idp->id);
+- - for (idp = scratchlist; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
+ for (idp = scratchlist; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s", t);
@@ -209,8 +218,8 @@ index fdc6f5d..9a62ee2 100644
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
else
report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
-- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
@@ -223,8 +232,8 @@ index fdc6f5d..9a62ee2 100644
/* this is now a merged list! the mails which were seen in this
* poll are marked here. */
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
-- for (idp = ctl->oldsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
@@ -233,3 +242,10 @@ index fdc6f5d..9a62ee2 100644
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.12 (GNU/Linux)
+
+iEYEARECAAYFAkvicswACgkQvmGDOQUufZVq9wCg9j3yrW+aMQs9kMh5mTT8xPO0
+w+MAoJm8g5AlDCwoi2jdmziqlO7/zBxx
+=WEJ3
+-----END PGP SIGNATURE-----