From f1c7607615ebd48807db6170937fe79bb89d47d4 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 4 Feb 2010 09:50:53 +0000 Subject: Security fix for sdump() (X.509 cert display in verbose mode). svn path=/branches/BRANCH_6-3/; revision=5467 --- Makefile.am | 1 + NEWS | 6 +++ fetchmail-SA-2010-01.txt | 130 +++++++++++++++++++++++++++++++++++++++++++++++ sdump.c | 2 +- 4 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 fetchmail-SA-2010-01.txt diff --git a/Makefile.am b/Makefile.am index cb899f00..7c277226 100644 --- a/Makefile.am +++ b/Makefile.am @@ -126,6 +126,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ fetchmail-features.html README.SSL README.NTLM \ README.packaging README.SSL-SERVER \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ + fetchmail-SA-2010-01.txt \ fetchmail-SA-2009-01.txt \ fetchmail-SA-2008-01.txt \ fetchmail-SA-2007-02.txt \ diff --git a/NEWS b/NEWS index 4f057990..91535bd5 100644 --- a/NEWS +++ b/NEWS @@ -49,6 +49,12 @@ removed from a 6.4.0 or newer release.) fetchmail 6.3.14 (not yet released): +# SECURITY FIXES +* SSL/TLS certificate information is now also reported properly on computers + that consider the "char" type signed. Fixes malloc() buffer overrun. + Workaround for older versions: do not use verbose mode. + See fetchmail-SA-2010-01.txt for details, including a minimal patch. + # BUG FIXES * The IMAP client no longer skips messages from several IMAP servers including Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a) diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt new file mode 100644 index 00000000..53168349 --- /dev/null +++ b/fetchmail-SA-2010-01.txt @@ -0,0 +1,130 @@ +fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display. + +Topics: Heap overrun in verbose SSL certificate information display. + +Author: Matthias Andree +Version: 1.0 +Announced: +Type: malloc() Buffer overrun with printable characters +Impact: Code injection (difficult). +Danger: low +CVSSv2 vectors: + +CVE Name: +URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt +Project URL: http://www.fetchmail.info/ + +Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13 + +Not affected: fetchmail release 6.3.14 and newer + +Corrected: 2010-02-04 fetchmail SVN (r5467) + + +0. Release history +================== + +2010-02-04 0.1 first draft (visible in SVN) + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. It supports SSL and TLS security layers through +the OpenSSL library, if enabled at compile time and if also enabled at +run time. + + +2. Problem description and Impact +================================= + +In verbose mode, fetchmail prints X.509 certificate subject and issuer +information to the user, and counts and allocates a malloc() buffer for +that purpose. + +If the material to be displayed contains characters with high bit set +and the platform treats the "char" type as signed, this can cause a heap +buffer overrun because non-printing characters are escaped as +\xFF..FFnn, where nn is 80..FF in hex. + +This might be exploitable to inject code if +- fetchmail is run in verbose mode +AND +- the host running fetchmail considers char unsigned +AND +- the server uses malicious certificates with non-printing characters + that have the high bit set +AND +- these certificates manage to inject shell-code that consists purely of + printable characters. + +It is believed to be difficult to achieve all this. + + +3. Solution +=========== + +There are two alternatives, either of them by itself is sufficient: + +a. Apply the patch found in section B of this announcement to + fetchmail 6.3.13, recompile and reinstall it. + +b. Install fetchmail 6.3.14 or newer after it will have become available. + The fetchmail source code is always available from + . + + +4. Workaround +============= + +Run fetchmail without and verbose options. + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2010 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-Noncommercial-No Derivative Works 3.0 Germany License. +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to + +Creative Commons +171 Second Street +Suite 300 +SAN FRANCISCO, CALIFORNIA 94105 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + + +B. Patch to remedy the problem +============================== + +Note that when taking this from a GnuPG clearsigned file, the lines +starting with a "-" character are prefixed by another "- " (dash + +blank) combination. Either feed this file through GnuPG to strip them, +or strip them manually. You may want to use the "-p1" flag to patch. + +Whitespace differences can usually be ignored by invoking "patch -l", +so try this if the patch does not apply. + +--- a/sdump.c ++++ b/sdump.c +@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len) + if (isprint((unsigned char)in[i])) { + *(oi++) = in[i]; + } else { +- oi += sprintf(oi, "\\x%02X", in[i]); ++ oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]); + } + } + *oi = '\0'; + +END OF fetchmail-SA-2010-01.txt diff --git a/sdump.c b/sdump.c index 6edf0a66..3748672a 100644 --- a/sdump.c +++ b/sdump.c @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len) if (isprint((unsigned char)in[i])) { *(oi++) = in[i]; } else { - oi += sprintf(oi, "\\x%02X", in[i]); + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]); } } *oi = '\0'; -- cgit v1.2.3