From 50987ee1865940d7a8ca70885ef095b6d7db26da Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 29 Aug 2007 12:15:24 +0000 Subject: Update to fetchmail-SA-2007-02 v1.1. Includes official fix. svn path=/branches/BRANCH_6-3/; revision=5128 --- fetchmail-SA-2007-02.txt | 72 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 13 deletions(-) diff --git a/fetchmail-SA-2007-02.txt b/fetchmail-SA-2007-02.txt index 03affd77..74fc5558 100644 --- a/fetchmail-SA-2007-02.txt +++ b/fetchmail-SA-2007-02.txt @@ -1,21 +1,24 @@ -fetchmail-SA-2007-02: Crash when local warning message is rejected +fetchmail-SA-2007-02: Crash when a local warning message is rejected -Topics: Crash when fetchmail-generated warning message is rejected +Topics: Crash when a fetchmail-generated warning message is rejected Author: Matthias Andree -Version: 1.0 -Announced: 2007-07-29 +Version: 1.1 +Announced: 2007-08-28 Type: NULL pointer dereference trigged by outside circumstances Impact: denial of service possible Danger: low +CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C) + Credits: Earl Chew CVE Name: CVE-2007-4565 URL: http://fetchmail.berlios.de/fetchmail-SA-2007-02.txt Project URL: http://fetchmail.berlios.de/ -Affects: fetchmail release < 6.3.9 +Affects: fetchmail release < 6.3.9 exclusively -Not affected: fetchmail release 6.3.9 (not yet available) +Not affected: fetchmail release 6.3.9 and newer + fetchmail releases < 4.6.8 exclusively Corrected: 2007-07-29 fetchmail SVN (rev 5119) @@ -24,6 +27,7 @@ Corrected: 2007-07-29 fetchmail SVN (rev 5119) ================== 2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN) +2007-08-28 1.1 reworked, added fix, official release 1. Background @@ -41,19 +45,42 @@ control) files for fetchmail. 2. Problem description and Impact ================================= -fetchmail will generated warning messages to the local postmaster or user in -certain circumstances, for instance when authentication fails. +fetchmail will generate warning messages in certain circumstances and +send them to the local postmaster or the user starting it. Such warning +messages can be generated, for instance, if logging into an upstream +server fails repeatedly or if messages beyond the size limit (if +configured, default: no limit) are left on the server. -If this warning message is refused by the SMTP listener that fetchmail is -talking to, fetchmail attempts to dereference a NULL pointer when trying to find -out if it should allow a bounce message to be sent. +If this warning message is then refused by the SMTP listener that +fetchmail is forwarding the message to, fetchmail attempts to +dereference a NULL pointer when trying to find out if it should allow a +bounce message to be sent. + +This causes fetchmail to crash and not collect further messages until it +is restarted. + +Risk assessment: low. In default configuration, fetchmail will talk +through the loopback interface, that is to the SMTP listener on the same +computer as it is running on. Otherwise, it will commonly be configured +to talk to trusted SMTP servers, so a compromise of misconfiguration of +a trusted or the same computer is required to exploit this problem - +which usually opens up much easier ways of denying service, or worse. 3. Solution =========== -Install fetchmail 6.3.9 or newer. The fetchmail source code is available from -. +There are two alternatives, either of them by itself is sufficient: + +a. Apply the patch found in section B of this announcement to fetchmail 6.3.8, + recompile and reinstall it. + +b. Install fetchmail 6.3.9 or newer when it becomes available. The + fetchmail source code is available from + . + +Note there are no workarounds presented here since all known workarounds +are more intrusive than the actual solution. A. Copyright, License and Warranty @@ -71,4 +98,23 @@ Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. + + +B. Patch to remedy the problem +============================== + +Index: sink.c +=================================================================== +--- sink.c (revision 5118) ++++ sink.c (revision 5119) +@@ -262,7 +262,7 @@ + const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@"; + + /* don't bounce in reply to undeliverable bounces */ +- if (!msg->return_path[0] || ++ if (!msg || !msg->return_path[0] || + strcmp(msg->return_path, "<>") == 0 || + strcasecmp(msg->return_path, md1) == 0 || + strncasecmp(msg->return_path, md2, strlen(md2)) == 0) + END OF fetchmail-SA-2007-02.txt -- cgit v1.2.3