diff options
Diffstat (limited to 'fetchmail-SA-2010-01.txt')
| -rw-r--r-- | fetchmail-SA-2010-01.txt | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt index 7abc2211..ea2b6617 100644 --- a/fetchmail-SA-2010-01.txt +++ b/fetchmail-SA-2010-01.txt @@ -1,3 +1,6 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display. Topics: Heap overrun in verbose SSL certificate information display. @@ -8,9 +11,8 @@ Announced: Type: malloc() Buffer overrun with printable characters Impact: Code injection (difficult). Danger: low -CVSSv2 vectors: -CVE Name: +CVE Name: to be assigned via oss-security@ list URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt Project URL: http://www.fetchmail.info/ @@ -19,12 +21,14 @@ Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13 Not affected: fetchmail release 6.3.14 and newer Corrected: 2010-02-04 fetchmail SVN (r5467) + 2010-02-05 fetchmail release 6.3.14 0. Release history ================== -2010-02-04 0.1 first draft (visible in SVN) +2010-02-04 0.1 first draft (visible in SVN and through oss-security) +2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde) 1. Background @@ -50,14 +54,14 @@ buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex. This might be exploitable to inject code if -- fetchmail is run in verbose mode +- - fetchmail is run in verbose mode AND -- the host running fetchmail considers char signed +- - the host running fetchmail considers char signed AND -- the server uses malicious certificates with non-printing characters +- - the server uses malicious certificates with non-printing characters that have the high bit set AND -- these certificates manage to inject shell-code that consists purely of +- - these certificates manage to inject shell-code that consists purely of printable characters. It is believed to be difficult to achieve all this. @@ -115,16 +119,23 @@ or strip them manually. You may want to use the "-p1" flag to patch. Whitespace differences can usually be ignored by invoking "patch -l", so try this if the patch does not apply. ---- a/sdump.c +- --- a/sdump.c +++ b/sdump.c @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len) if (isprint((unsigned char)in[i])) { *(oi++) = in[i]; } else { -- oi += sprintf(oi, "\\x%02X", in[i]); +- - oi += sprintf(oi, "\\x%02X", in[i]); + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]); } } *oi = '\0'; END OF fetchmail-SA-2010-01.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.12 (GNU/Linux) + +iEYEARECAAYFAktrbs0ACgkQvmGDOQUufZWzMQCg49F/WJiOjGwWZKHHzBcfTgx/ +sLIAmQHPO3mezy3Ku0O29b4AXHL2ZQNb +=kF7s +-----END PGP SIGNATURE----- |