From f1c0ba89205211f7f723ca81c0130dde30dca336 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 13 Aug 2012 21:23:41 +0200 Subject: Document fix for NTLM crash, + Security advisory (draft). --- Makefile.am | 1 + NEWS | 9 ++++- fetchmail-SA-2012-02.txt | 100 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 fetchmail-SA-2012-02.txt diff --git a/Makefile.am b/Makefile.am index 09352abf..8c34c75f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -135,6 +135,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ README.packaging README.SSL-SERVER \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ Mailbox-Names-UTF7.txt Mailbox-Names-UTF7.html \ + fetchmail-SA-2012-02.txt \ fetchmail-SA-2012-01.txt \ fetchmail-SA-2011-01.txt \ fetchmail-EN-2010-03.txt \ diff --git a/NEWS b/NEWS index cb6e5d14..3ee8d85b 100644 --- a/NEWS +++ b/NEWS @@ -58,7 +58,14 @@ removed from a 6.4.0 or newer release.) fetchmail-6.3.22 (not yet released): -# SECURITY FIX +# SECURITY FIXES +* CVE-2012-(not yet assigned): + NTLM: fetchmail mistook an error message that the server sent in response to + an NTLM request for protocol exchange, tried to decode it, and crashed while + reading from a bad memory location. + Fix: Detect base64 decoding errors and abort NTLM authentication. + See fetchmail-SA-2012-02.txt for further details. + Reported by J. Porter Clark. * CVE-2011-3389: SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure against a certain kind of attack against cipher block chaining initialization diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt new file mode 100644 index 00000000..d712ab37 --- /dev/null +++ b/fetchmail-SA-2012-02.txt @@ -0,0 +1,100 @@ +fetchmail-SA-2012-01: DoS possible with NTLM authentication in debug mode + +Topics: fetchmail denial of service in NTLM protocol phase + +Author: Matthias Andree +Version: draft +Announced: 2012-08-13 +Type: crash while reading from bad memory location +Impact: fetchmail segfaults and aborts, stalling inbound mail +Danger: low +Acknowledgment: J. Porter Clark + +CVE Name: (TBD) +URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt +Project URL: http://www.fetchmail.info/ + +Affects: - fetchmail releases 5.0.8 up to and including 6.3.21 + when compiled with NTLM support enabled + +Not affected: - fetchmail releases compiled with NTLM support disabled + - fetchmail releases 6.3.22 and newer + +Corrected in: 2012-08-13 Git, among others, see commit + 3fbc7cd331602c76f882d1b507cd05c1d824ba8b + + 2012-08-xx fetchmail 6.3.22 release tarball + + +0. Release history +================== + +2012-08-13 0.1 draft + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM +authentication request, but never checked if the received response was +NTLM protocol exchange, or a server-side error message. Instead, +fetchmail tried to decode the error message as though it were +base64-encoded protocol exchange, and could then segfault depending of +buffer contents, while reading data from bad memory locations. + + +3. Solution +=========== + +Install fetchmail 6.3.22 or newer. + +The fetchmail source code is always available from +. + +Distributors are encouraged to review the NEWS file and move forward to +6.3.22, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued, or documentation. + +Fetchmail 6.3.X releases have always been made with a focus on unchanged +user and program interfaces so as to avoid disruptions when upgrading +from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the +interface incompatibly. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2012 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2012-02 -- cgit v1.2.3