From 33280d2b96b4010645c5e0a5f9e892ca9fddc1d0 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 19 Jan 2006 02:47:15 +0000 Subject: Escalate recent fix to security and add preliminary announcement. svn path=/branches/BRANCH_6-3/; revision=4657 --- Makefile.am | 1 + NEWS | 32 +++++++++------- fetchmail-SA-2006-01.txt | 98 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 118 insertions(+), 13 deletions(-) create mode 100644 fetchmail-SA-2006-01.txt diff --git a/Makefile.am b/Makefile.am index 99f57a95..34cd3373 100644 --- a/Makefile.am +++ b/Makefile.am @@ -100,6 +100,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ fetchmail-features.html README.SSL README.NTLM \ README.packaging \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ + fetchmail-SA-2006-01.txt \ fetchmail-SA-2005-01.txt \ fetchmail-SA-2005-02.txt \ fetchmail-SA-2005-03.txt diff --git a/NEWS b/NEWS index 934a6273..d919f315 100644 --- a/NEWS +++ b/NEWS @@ -24,6 +24,14 @@ change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.) fetchmail 6.3.2 (to be released): +Unless otherwise noted, changes to this release were made by Matthias Andree. + +# SECURITY FIX IN THIS RELEASE +* CVE-2006-XXXX: Fix segfault or bus error after bouncing a message. This bug + was introduced into 6.3.0 when removing alloca(); it caused fetchmail to free + random memory. Reported by Nathaniel W. Turner, Debian Bug#348747. + See fetchmail-SA-2006-01.txt + # INCOMPATIBLE CHANGE: * Automatically disable the POP3 TOP command if the greeting string contains "Maillennium POP3/PROXY server", which is used by comcast and known to @@ -33,13 +41,14 @@ fetchmail 6.3.2 (to be released): *Note* that this means messages are marked read on these servers, which is a deviation from how 6.3.1 behaved, but we have no alternative, comcast haven't fixed this bug in years. Preventing the loss of the remainder of the message - justifies this incompatible fix. Matthias Andree + justifies this incompatible fix. * fetchmail, since 6.3.0, requires write permission to the directory holding the idfile. See the amendment in the 6.3.0 MAJOR INCOMPATIBLE CHANGES section - below for details. The manual page was updated. Matthias Andree + below for details. The manual page was updated. # CHANGES RELEVANT TO PACKAGERS: -* The outdated BUGS document was removed from the distribution. Matthias Andree +* The outdated BUGS document was removed from the distribution. +* Added fetchmail-SA-2006-01.txt to the distribution. # BUG FIXES: * SMTP/LMTP cleanup to fix these two bugs: @@ -48,21 +57,18 @@ fetchmail 6.3.2 (to be released): The patch removes the global state variable that was the root of this problem. Patch by Sunil Shetye. (MA) * Don't complain about fetchall keep in --configdump mode. Bug introduced in - 6.3.0. Matthias Andree. + 6.3.0. * fetchmailconf.py: Fix novice help for Poll interval and fetchall. - Reported by Justin Pryzby, Debian Bug #344978. Matthias Andree + Reported by Justin Pryzby, Debian Bug #344978. * Some verbose output disappeared in debug mode. Adding further -v options would alternate between verbose and debug mode. debug mode now comprises all verbose output, and adding more -v options does not switch back from debug to verbose - mode. Matthias Andree + mode. * fetchmail.man: Fix accented characters in Héctor García's name. Merged from - downstream debian/patches/01_man_page.dpatch. Matthias Andree. -* Add missing --help text for "--sslcertck" option. Matthias Andree. -* fetchmailconf.py: Accept --help and --version. Matthias Andree. -* fetchmail --version now prints the copyright notice. Matthias Andree. -* Fix segfault or bus error after bouncing a message. This bug was introduced - into 6.3.0 when removing alloca(); it caused fetchmail to free random memory. - Reported by Nathaniel W. Turner, Debian Bug#348747. Fix: Matthias Andree. + downstream debian/patches/01_man_page.dpatch. +* Add missing --help text for "--sslcertck" option. +* fetchmailconf.py: Accept --help and --version. +* fetchmail --version now prints the copyright notice. fetchmail 6.3.1 (released 2005-12-19): diff --git a/fetchmail-SA-2006-01.txt b/fetchmail-SA-2006-01.txt new file mode 100644 index 00000000..d929c6b5 --- /dev/null +++ b/fetchmail-SA-2006-01.txt @@ -0,0 +1,98 @@ +fetchmail-SA-2006-01: crash when bouncing messages. + +Topics: #1 crash when bouncing a message + #2 fetchmail 6.2.5.X end of life + +Author: Matthias Andree +Version: XXX +Announced: XXX +Type: free() with bogus pointer +Impact: fetchmail crashes +Danger: low +Credits: Nathaniel W. Turner (bug report) +CVE Name: XXX +URL: http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt + http://bugs.debian.org/348747 +Project URL: http://fetchmail.berlios.de/ + +Affects: fetchmail version 6.3.0 + fetchmail version 6.3.1 + +Not affected: fetchmail 6.3.2 + fetchmail 6.2.5.5 + other versions not mentioned here or in the previous + sections have not been checked + +Corrected: XXX + + +0. Release history +================== + +2006-01-19 internal review draft + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +Fetchmail contains a bug that causes itself to crash when bouncing a +message to the originator or to the local postmaster. Fetchmail crashes +when trying to free the dynamic array of failed addresses, and calls the +free() function with an invalid pointer. + +Note that such messages are not RFC-822 conformant, so if the server has +not been tampered with, the server software is faulty. + + +3. Workaround +============= + +None known at this time. + + +4. Solution +=========== + +Download and install fetchmail 6.3.2 or a newer stable release from +fetchmail's project site at +. + + +5. End of life announcement +=========================== + +The aged fetchmail 6.2.5.X branch is discontinued effective immediately. +No further releases from the 6.2.5.X branch will be made. + +The new 6.3.X stable branch has been available since 2005-11-30 +and will not change except for bugfixes, documentation and translations. + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2006 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END OF fetchmail-SA-2006-01.txt -- cgit v1.2.3