1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
fetchmail-SA-2005-02: security announcement
Topic: password exposure in fetchmailconf
Author: Matthias Andree
Version: 1.00
Announced: 2005-XX-XX
Type: insecure creation of file
Impact: passwords are written to a world-readable file
Danger: low: the time window during which the passwords are
readable is small.
CVE Name: CAN-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmail version 6.2.5
fetchmail version 6.2.0
fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
(other versions have not been checked but are presumed
affected)
Not affected: fetchmail 6.2.9-rc6 (XX not released yet)
fetchmail 6.3.0 (not released yet)
fetchmailconf 1.43.1
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
2005-09-28 - released fetchmailconf-1.43.1
XX (add date of 6.2.9-rc6 release here)
0. Release history
2005-XX-XX 1.00 - Initial announcement
1. Background
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.
fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.
2. Problem description and Impact
The fetchmailconf program before and excluding version 1.49 opened the
run control file, wrote the configuration to it, and only then changed
the mode to 0600 (rw-------). Writing the file, which usually contains
passwords, before making it unreadable to other users, can expose
sensitive password information.
3. Workaround
Run "umask 077", then run "fetchmailconf" from the same shell.
4. Solution
Download fetchmailconf-1.43.1.gz from fetchmail's project site
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
gunzip it, then replace your existing fetchmailconf with it.
Alternatively, apply this patch (you need to save this announcement
unaltered to a file unless you are sure that your system preserves HTAB
characters on copy and paste operations) to fetchmailconf and install
the patched version: (the patch, with modified version number and in
unified format, is also available from the URL above).
*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005
--- ./fetchmailconf Wed Sep 28 03:33:11 2005
***************
*** 860,871 ****
pass
fm = open(self.outfile, 'w')
if fm:
fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
fm.write(`self.configuration`)
if self.outfile:
fm.close()
- if fm != sys.stdout:
- os.chmod(self.outfile, 0600)
self.destruct()
#
--- 860,871 ----
pass
fm = open(self.outfile, 'w')
if fm:
+ if fm != sys.stdout:
+ os.chmod(self.outfile, 0600)
fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
fm.write(`self.configuration`)
if self.outfile:
fm.close()
self.destruct()
#
A. References
fetchmail home page: <http://fetchmail.berlios.de/>
B. Copyright, License and Warranty
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END OF fetchmail-SA-2005-02.txt
|