From 92fd7b20390af30051fc4bb87e222cf389948dd3 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 21 Oct 2005 14:04:15 +0000 Subject: Version 1.01. svn path=/trunk/; revision=4366 --- fetchmail-SA-2005-02.txt | 81 +++++++++++++++++++----------------------------- 1 file changed, 32 insertions(+), 49 deletions(-) diff --git a/fetchmail-SA-2005-02.txt b/fetchmail-SA-2005-02.txt index 584ed89d..68131d63 100644 --- a/fetchmail-SA-2005-02.txt +++ b/fetchmail-SA-2005-02.txt @@ -3,35 +3,41 @@ fetchmail-SA-2005-02: security announcement Topic: password exposure in fetchmailconf Author: Matthias Andree -Version: 1.00 -Announced: 2005-XX-XX +Version: 1.01 +Announced: 2005-10-21 Type: insecure creation of file Impact: passwords are written to a world-readable file -Danger: low: the time window during which the passwords are - readable is small. +Danger: medium +Credits: Thomas Wolff, Miloslav Trmac for pointing out + that fetchmailconf 1.43.1 was also flawed CVE Name: CAN-2005-3088 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt Affects: fetchmail version 6.2.5.2 fetchmail version 6.2.5 fetchmail version 6.2.0 - fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2) - (other versions have not been checked but are presumed - affected) + fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2) + fetchmailconf 1.43.1 (shipped separately, now withdrawn) + (other versions have not been checked but are presumed affected) -Not affected: fetchmail 6.2.9-rc6 (XX not released yet) +Not affected: fetchmail 6.2.9-rc6 + fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) + fetchmailconf 1.49 (shipped with 6.2.9-rc6) fetchmail 6.3.0 (not released yet) - fetchmailconf 1.43.1 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) - 2005-09-28 - released fetchmailconf-1.43.1 - XX (add date of 6.2.9-rc6 release here) + 2005-10-21 - released fetchmailconf-1.43.2 + 2005-10-21 - released fetchmail 6.2.9-rc6 0. Release history +================== -2005-XX-XX 1.00 - Initial announcement +2005-10-21 1.00 (shipped with -rc6) +2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4, + added Credits) 1. Background +============= fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or @@ -42,6 +48,7 @@ utility named "fetchmailconf" to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact +================================= The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed @@ -50,56 +57,32 @@ passwords, before making it unreadable to other users, can expose sensitive password information. 3. Workaround +============= -Run "umask 077", then run "fetchmailconf" from the same shell. +Run "umask 077", then run "fetchmailconf" from the same shell. After +fetchmailconf has finished, you can restore your old umask. 4. Solution +=========== -Download fetchmailconf-1.43.1.gz from fetchmail's project site +For users of fetchmail-6.2.5.2: +------------------------------- +Download fetchmailconf-1.43.2.gz from fetchmail's project site , gunzip it, then replace your existing fetchmailconf with it. -Alternatively, apply this patch (you need to save this announcement -unaltered to a file unless you are sure that your system preserves HTAB -characters on copy and paste operations) to fetchmailconf and install -the patched version: (the patch, with modified version number and in -unified format, is also available from the URL above). - -*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005 ---- ./fetchmailconf Wed Sep 28 03:33:11 2005 -*************** -*** 860,871 **** - pass - fm = open(self.outfile, 'w') - if fm: - fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time())) - fm.write(`self.configuration`) - if self.outfile: - fm.close() -- if fm != sys.stdout: -- os.chmod(self.outfile, 0600) - self.destruct() - - # ---- 860,871 ---- - pass - fm = open(self.outfile, 'w') - if fm: -+ if fm != sys.stdout: -+ os.chmod(self.outfile, 0600) - fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time())) - fm.write(`self.configuration`) - if self.outfile: - fm.close() - self.destruct() - - # +For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: +--------------------------------------------------------- +update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21. + A. References +============= fetchmail home page: B. Copyright, License and Warranty +================================== (C) Copyright 2005 by Matthias Andree, . Some rights reserved. -- cgit v1.2.3