aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2005-02.txt
diff options
context:
space:
mode:
Diffstat (limited to 'fetchmail-SA-2005-02.txt')
-rw-r--r--fetchmail-SA-2005-02.txt81
1 files changed, 32 insertions, 49 deletions
diff --git a/fetchmail-SA-2005-02.txt b/fetchmail-SA-2005-02.txt
index 584ed89d..68131d63 100644
--- a/fetchmail-SA-2005-02.txt
+++ b/fetchmail-SA-2005-02.txt
@@ -3,35 +3,41 @@ fetchmail-SA-2005-02: security announcement
Topic: password exposure in fetchmailconf
Author: Matthias Andree
-Version: 1.00
-Announced: 2005-XX-XX
+Version: 1.01
+Announced: 2005-10-21
Type: insecure creation of file
Impact: passwords are written to a world-readable file
-Danger: low: the time window during which the passwords are
- readable is small.
+Danger: medium
+Credits: Thomas Wolff, Miloslav Trmac for pointing out
+ that fetchmailconf 1.43.1 was also flawed
CVE Name: CAN-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmail version 6.2.5
fetchmail version 6.2.0
- fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
- (other versions have not been checked but are presumed
- affected)
+ fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
+ fetchmailconf 1.43.1 (shipped separately, now withdrawn)
+ (other versions have not been checked but are presumed affected)
-Not affected: fetchmail 6.2.9-rc6 (XX not released yet)
+Not affected: fetchmail 6.2.9-rc6
+ fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
+ fetchmailconf 1.49 (shipped with 6.2.9-rc6)
fetchmail 6.3.0 (not released yet)
- fetchmailconf 1.43.1
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
- 2005-09-28 - released fetchmailconf-1.43.1
- XX (add date of 6.2.9-rc6 release here)
+ 2005-10-21 - released fetchmailconf-1.43.2
+ 2005-10-21 - released fetchmail 6.2.9-rc6
0. Release history
+==================
-2005-XX-XX 1.00 - Initial announcement
+2005-10-21 1.00 (shipped with -rc6)
+2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4,
+ added Credits)
1. Background
+=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
@@ -42,6 +48,7 @@ utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.
2. Problem description and Impact
+=================================
The fetchmailconf program before and excluding version 1.49 opened the
run control file, wrote the configuration to it, and only then changed
@@ -50,56 +57,32 @@ passwords, before making it unreadable to other users, can expose
sensitive password information.
3. Workaround
+=============
-Run "umask 077", then run "fetchmailconf" from the same shell.
+Run "umask 077", then run "fetchmailconf" from the same shell. After
+fetchmailconf has finished, you can restore your old umask.
4. Solution
+===========
-Download fetchmailconf-1.43.1.gz from fetchmail's project site
+For users of fetchmail-6.2.5.2:
+-------------------------------
+Download fetchmailconf-1.43.2.gz from fetchmail's project site
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
gunzip it, then replace your existing fetchmailconf with it.
-Alternatively, apply this patch (you need to save this announcement
-unaltered to a file unless you are sure that your system preserves HTAB
-characters on copy and paste operations) to fetchmailconf and install
-the patched version: (the patch, with modified version number and in
-unified format, is also available from the URL above).
-
-*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005
---- ./fetchmailconf Wed Sep 28 03:33:11 2005
-***************
-*** 860,871 ****
- pass
- fm = open(self.outfile, 'w')
- if fm:
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
-- if fm != sys.stdout:
-- os.chmod(self.outfile, 0600)
- self.destruct()
-
- #
---- 860,871 ----
- pass
- fm = open(self.outfile, 'w')
- if fm:
-+ if fm != sys.stdout:
-+ os.chmod(self.outfile, 0600)
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
- self.destruct()
-
- #
+For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:
+---------------------------------------------------------
+update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
+<https://developer.berlios.de/project/showfiles.php?group_id=1824>
A. References
+=============
fetchmail home page: <http://fetchmail.berlios.de/>
B. Copyright, License and Warranty
+==================================
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.