diff options
Diffstat (limited to 'fetchmail-SA-2021-01.txt')
-rw-r--r-- | fetchmail-SA-2021-01.txt | 62 |
1 files changed, 40 insertions, 22 deletions
diff --git a/fetchmail-SA-2021-01.txt b/fetchmail-SA-2021-01.txt index 2a5ca262..3ad2b47e 100644 --- a/fetchmail-SA-2021-01.txt +++ b/fetchmail-SA-2021-01.txt @@ -6,8 +6,8 @@ fetchmail-SA-2021-01: DoS or information disclosure logging long messages Topics: fetchmail denial of service or information disclosure when logging long messages Author: Matthias Andree -Version: 1.2 -Announced: 2021-07-28 (original), 2021-08-03 (last update) +Version: 1.3 +Announced: 2021-07-28 (original), 2021-08-09 (last update) Type: missing variable initialization can cause read from bad memory locations Impact: fetchmail logs random information, or segfaults and aborts, @@ -23,15 +23,18 @@ Project URL: https://www.fetchmail.info/ Affects: - fetchmail releases up to and including 6.3.8 - fetchmail releases 6.3.17 up to incl. 6.4.19 + (but note 6.4.20 regresses for buffered output, + f.i. with --logfile) -Not affected: - fetchmail releases 6.4.20 and newer +Not affected: - fetchmail releases 6.4.21 and newer + (fetchmail 6.4.20 fixes the immediate bug but regresses + and causes message truncation on buffered output) - fetchmail releases 6.3.9 to 6.3.16 -Corrected in: c546c829 Git commit hash - 2021-07-28 fetchmail 6.4.20 release tarball +Corrected in: c546c829 + d3db2da1 Git commit hash (both needed) + 2021-08-09 fetchmail 6.4.21 release tarball 2021-08-03 7.0.0-alpha9/6.5.0-beta4 snapshots - 0. Release history ================== @@ -39,6 +42,7 @@ Corrected in: c546c829 Git commit hash 2021-07-28 1.0 release 2021-07-28 1.1 update Git commit hash with correction 2021-08-03 1.2 add references to CVE-2008-2711/fetchmail-SA-2008-01 +2021-08-09 1.3 mention buffered logging regression (--logfile) 1. Background @@ -71,7 +75,7 @@ some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end. The same bug then named CVE-2008-2711 had already been fixed in fetchmail 6.3.9, -but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010) +but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010) reintroduced the bug. Fetchmail versions 6.4.19 and older are no longer supported, however. @@ -81,17 +85,31 @@ The bugfix used in 6.4.20 uses a different, more thorough, approach. 3. Solution =========== -Install fetchmail 6.4.20 or newer. +Install fetchmail 6.4.21 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. Distributors are encouraged to review the NEWS file and move forward to -6.4.20, rather than backport individual security fixes, because doing so +6.4.21, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation, or translation updates. +The regression fix for the new non-security bug in 6.4.20 that causes +log message truncation simply consists of editing report.c to rotate lines 289 +through 291, such that the /corrected/ report.c then looks like this: + + 286 n = snprintf (partial_message + partial_message_size_used, + 287 partial_message_size - partial_message_size_used, + 288 message, a1, a2, a3, a4, a5, a6, a7, a8); + 289 + 290 if (n > 0) partial_message_size_used += n; + 291 #endif + 292 + 293 if (unbuffered && partial_message_size_used != 0) + + Fetchmail 6.4.X releases have been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface @@ -114,17 +132,17 @@ Use the information herein at your own risk. END of fetchmail-SA-2021-01 -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEJW1kACgkQ5BKxVu/z -hVrcow//VOWtxFhC1H/BSUsyrx4n+vXJjpBxgu9uK/1RlA7//Bldh8y7X6XgfeBp -yEKwW71ecdLv4GAzDYoQ5ejrIWwjwkP4hOpFFrXBfv542qgUNIBXCJIkm8Ws4bF2 -IjWWfHqHrvQLaxdZ9R00GPr+3cKsc8OHjkq2tX23uBBgQ4xPn/Q6veBbm/Ok9lUn -Oge7ffn4eiHZ1d04sH/SyB6raEQuXyCAYVT1a2BBPiMUwsKBDj/LF7OtBrpRbdr9 -Sc1McL99w1lE85j1BI8xRFCmx+FuK2QQBfi1zst99b3IV+MYRC2vuowieMdzy37M -Wf6TtVWwWoZdxrRG0LIok43Kn4pklrFA67Wk4vCepxULOvlMPUsiCsv5TBJOdq2I -oLXpquSYz20BxyS3OxS2uu5WgD9IWMOJIn7ZoA8GqHLgSvClmD11njvQJq7bCUNu -SP6DC+WWbwoWM1oYZS2IHVccIh/rMvu2nptRz6adVASMebnY7rZCveN0YmcSXBUU -RbCW1cav1VO+BPvlV3AIX6VEjv7q9s839AieLTCkdar7LKf/ktKXQlNAtqbnPW5Q -O7ujhs+VvjlB7IfjhnoF77tu5NDtktTGgyW37XQPPLwpgpyvEyEWmzvB4hoxrWfV -+WNNfwmc6sUEs4hzgBmgtaX2exBvWscKk5xe5ks5ULRLJLZ9PnY= -=NnuJ +iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmERUo4ACgkQ5BKxVu/z +hVrq4RAAnvtDbwEvjSEWFVvmZTG7qcrOxAs1SCb+dp33PKy8EPfzE3vjCHEsrwRv +XjX6dKWK61wG7+7kGUyeNlBXASWso2BSR9TypRVi2PXK5aKUgSi0qs0eGpR11jnx +QN9b96rklFb6odJVua/PwWKUG6vBILX1o8DgvoMX4B5S7LipgD/gecuqQyD0t0l5 +TSyJZRaU763B7c4sZjuEwXtfqA49AbBSICq7qAbOa5R695ZelDvFgV3HHCoJIZqN +W2gMtsfCDboyViDf5jHllnbUmAl4bPCHOOcC53zfsESL37/pNYxgAsY2RHyWyhbU +yqVNH/0XTA5UxjN3i81mPbIo0oPI1Yejsbk+V73bI8hBaDtwqZ3BtU/gRYN5ODQi +w2DokSJ5cju7mDX4Ua05ee5n7U3291SJIc/XiMRDh2FauRM1JF2TeLwtgN0iwLM/ +OxZZSjtLrb/X2noBa3jRbJ5sho94mw/suW5jyuVAxKZzJCzgp45f7AeuqtvzYi1X +0TWLwQCEjoPBAySpdi36AZmJfiY2gfFgVSXlE5Piekg4n/QRRn+Qt9227WKJKkH2 +IwTqDIBkvjHXMnmNZTHLf28kKesF0BfYMpo9kDn+Cg4Gln4r0T4zRBB8HwljWfnx +j/4EAI+Nl9NpZ+xZFJe3YBJeOsXpSc+MAqK6tNWK4sKDCzHtnVU= +=NnPX -----END PGP SIGNATURE----- |