aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2005-03.txt
blob: 21c4b52881c74ceb3f2ada9d91df40d99c499614 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2005-03: security announcement

Topics:		#1 crash retrieving headerless message in multidrop mode
		#2 fetchmail 6.2.5.X end of life

Author:		Matthias Andree
Version:	1.00
Announced:	2005-12-19
Type:		null pointer dereference
Impact:		fetchmail crashes
Danger:		low
Credits:	Daniel Drake, Gentoo (bug report)
		Sunil Shetye (bug fix)
CVE Name:	CVE-2005-4348
URL:		http://fetchmail.sourceforge.net/fetchmail-SA-2005-03.txt
		http://article.gmane.org/gmane.mail.fetchmail.user/7573
		http://bugs.debian.org/343836
Project URL:	http://fetchmail.sourceforge.net/

Affects:	fetchmail version 6.2.5.4
		fetchmail version 6.3.0

Not affected:	fetchmail 6.3.1
		fetchmail 6.2.5.5
		other versions not mentioned here or in the previous
		sections have not been checked

Corrected:	2005-12-19 - released fetchmail 6.3.1
		2005-12-18 - released fetchmail 6.3.1-rc1
		2005-12-19 - released fetchmail 6.2.5.5


0. Release history
==================

2005-12-19	1.00 - initial version


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=================================

Fetchmail contains a bug that causes an application crash when fetchmail
is configured for multidrop mode and the upstream mail server sends a
message without headers.  As fetchmail does not record this message as
"previously fetched", it will crash with the same message if it is
re-executed, so it cannot make progress. A malicious or broken-into
upstream server could thus cause a denial of service in fetchmail
clients.

Note that such messages are not RFC-822 conformant, so if the server has
not been tampered with, the server software is faulty.


3. Workaround
=============

Where possible, singledrop mode may be an alternative.

For sites, where multidrop mode is required, no workaround is known.


4. Solution
===========

Download and install fetchmail 6.3.1 or a newer stable release from
fetchmail's project site at
<http://sourceforge.net/projects/fetchmail/files/>.

The fix has also been backported to the 6.2.5.5 legacy release which is
available from the same site.

Note however that 6.3.X has very few incompatible changes since 6.2.5.X
so 6.3.X should be viable for most sites.  It is therefore recommended
that every user and distributor upgrade to 6.3.1 or newer.


5. End of life announcement
===========================

The fetchmail 6.2.5.X branch will be discontinued early in 2006.

The new 6.3.X stable branch has been available since 2005-11-30
and will not change except for bugfixes, documentation and translations.


A. Copyright, License and Warranty
==================================

(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2005-03.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZVR6wCePBum0D/6j2Mmzc9eDttcckfu
100AoJoy6OdYYvUDCfEjjog+aAo72NXI
=L83l
-----END PGP SIGNATURE-----
batch limit # expunge -- must be followed by numeric delete count # properties -- must be followed by a string # # Legal protocol identifiers are # pop2 (or POP2) # pop3 (or POP3) # imap (or IMAP) # imap-k4 (or IMAP-K4) # apop (or APOP) # rpop (or RPOP) # kpop (or KPOP) # etrn (or ETRN) # # Add ssl for protocols operating over an SSL connection (POP3 and IMAP) # Default port for IMAPS (IMAP over SSL) is 993 # Default port for POP3S (POP3 over SSL) is 995 # Taken from assigned numbers and compatible with netscape/outlook usage. # # Legal authentication types are # login # kerberos # kerberos_v5 # # Legal global option statements are # # set logfile -- must be followed by a string # set idfile -- must be followed by a string # set postmaster -- must be followed by a string # set daemon -- must be followed by a number # set syslog # set invisible # # The noise keywords `and', `with', `has', `wants', and `options' are ignored # anywhere in an entry; they can be used to make it resemble English. The # punctuation characters `,' `:' `;' are also ignored. # # The run control file format is fully described (with more examples) on the # fetchmail manual page. # # This is what the developer's .fetchmailrc looks like: set daemon 300 # Poll at 5-minute intervals defaults interface "sl0/10.0.2.15" # SLIRP standard address user esr is esr fetchmail-friends magic-numbers here fetchall # Use this for production poll imap.ccil.org protocol IMAP: no dns, aka snark.thyrsus.com thyrsus.com locke.ccil.org ccil.org password my_remote_password; # Use this to test POP3 skip pop3.ccil.org with protocol APOP: no dns, aka snark.thyrsus.com thyrsus.com locke.ccil.org ccil.org password my_apop_secret; # Use this to test against a different server skip pop3.netaxs.com: password my_netaxs.password;