aboutsummaryrefslogtreecommitdiffstats
path: root/rpa.c
Commit message (Expand)AuthorAgeFilesLines
* Fix various warnings.Matthias Andree2004-06-191-25/+17
* License cleanups.Eric S. Raymond2001-09-301-0/+3
* _( -> GT_(Eric S. Raymond2001-09-261-41/+41
* Label save closes.Eric S. Raymond2000-01-311-1/+1
* Simplify error reporting further.Eric S. Raymond1999-02-031-55/+55
* Return of the dancing progress dots.Eric S. Raymond1999-02-011-17/+19
* Progress messages now go to stdout.Eric S. Raymond1999-01-051-64/+64
* First step towards splitting error from progress messages.Eric S. Raymond1999-01-051-48/+48
* Fix copyrights.Eric S. Raymond1998-12-041-3/+0
* Internationalization support via GNU gettext().Eric S. Raymond1998-11-261-41/+44
* More verbosity fixes.Eric S. Raymond1998-10-171-354/+354
* Introduced O_DEBUG.Eric S. Raymond1998-10-171-19/+19
* Make RPA less verbose.Eric S. Raymond1998-06-041-10/+22
* RPA fixes.Eric S. Raymond1998-06-031-26/+33
* Make RPA logging use error() rather than stderr.Eric S. Raymond1998-05-121-64/+67
* Fix -Wall warnings.Eric S. Raymond1998-03-171-0/+1
* Nailed.Eric S. Raymond1998-03-131-31/+31
* Enable conditioning out of POP3, IMAP, ETRN.Eric S. Raymond1997-10-041-2/+2
* Integrated RPA support.Eric S. Raymond1997-09-301-2/+6
* The code as I received it from Michael Palmer.Eric S. Raymond1997-09-301-0/+882
* Initial revisionEric S. Raymond1997-09-301-0/+0
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2005-01: security announcement

Topic:		remote code injection vulnerability in fetchmail

Author:		Matthias Andree
Version:	1.04
Announced:	2005-07-21
Type:		buffer overrun/stack corruption/code injection
Impact:		account or system compromise possible through malicious
		or compromised POP3 servers
Danger:		high: in sensitive configurations, a full system
		compromise is possible
		(for 6.2.5.1: denial of service for the whole fetchmail
		system is possible)
CVE Name:	CVE-2005-2335
URL:		http://fetchmail.sourceforge.net/fetchmail-SA-2005-01.txt
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
		http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
		http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
		http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
		http://www.heise.de/security/news/meldung/62070
Thanks:		Edward J. Shornock (located the bug in UIDL code)
		Miloslav Trmac (pointed out 6.2.5.1 was faulty)
		Ludwig Nussel (provided minimal correct fix)

Affects:	fetchmail version 6.2.5.1 (denial of service)
		fetchmail version 6.2.5 (code injection)
		fetchmail version 6.2.0 (code injection)
		(other versions have not been checked)

Not affected:	fetchmail 6.2.5.2
		fetchmail 6.2.5.4
		fetchmail 6.3.0

		Older versions may not have THIS bug, but had been found
		to contain other security-relevant bugs.

Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
		2005-07-22                   fetchmail-patch-6.2.5.2 released
		2005-07-23                   fetchmail-6.2.5.2 tarball released
		2005-11-13                   fetchmail-6.2.5.4 tarball released
		2005-11-30                   fetchmail-6.3.0 tarball released

0. Release history

2005-07-20	1.00 - Initial announcement
2005-07-22	1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
		       and susceptible to denial of service through
		       single-byte read from 0 when either a Message-ID:
		       header was empty (in violation of RFC-822/2822)
		       or the UIDL response did not contain an UID (in
		       violation of RFC-1939).
		     - Add Credits.
		     - Add 6.2.5.1 failure details to sections 2 and 3
		     - Revise section 5 and B.
2005-07-26	1.02 - Revise section 0.
		     - Add FreeBSD VuXML URL for 6.2.5.1.
		     - Add heise security URL.
		     - Mention release of 6.2.5.2 tarball.
2005-10-27	1.03 - Update CVE Name after CVE naming change
2005-12-08	1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected"
		     - remove patch information

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

2. Problem description

The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack.  This affects POP3 and all of its
variants, for instance but not limited to APOP.

In fetchmail-6.2.5.1, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.

3. Impact

In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
multiple accounts.

In fetchmail-6.2.5.1, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash
fetchmail.

4. Workaround

No reasonable workaround can be offered at this time.

5. Solution

Upgrade your fetchmail package to version 6.3.0 or newer.

<http://sourceforge.net/projects/fetchmail/files/>

A. References

fetchmail home page: <http://fetchmail.sourceforge.net/>

B. Copyright, License and Warranty

(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2005-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWmcQCdGrMPh1DY+Uqi5gmRbL+uUsOd
BpQAn3pBsk4fCeMY61d2ltjcp+CXj8Bi
=WTmI
-----END PGP SIGNATURE-----