aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2007-02.txt
blob: 4e694eb7f7f83673be37dc0ed1941199da0dcc16 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
pre { line-height: 125%; }
td.linenos .normal { color: inherit; background-co
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2007-02: Crash when a local warning message is rejected

Topics:		Crash when a fetchmail-generated warning message is rejected

Author:		Matthias Andree
Version:	1.1
Announced:	2007-08-28
Type:		NULL pointer dereference trigged by outside circumstances
Impact:		denial of service possible
Danger:		low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
		
Credits:	Earl Chew
CVE Name:	CVE-2007-4565
URL:		http://www.fetchmail.info/fetchmail-SA-2007-02.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail release < 6.3.9 exclusively

Not affected:	fetchmail release 6.3.9 and newer
		fetchmail releases < 4.6.8 exclusively

Corrected:	2007-07-29 fetchmail SVN (rev 5119)


0. Release history
==================

2007-07-29 1.0	first draft for MITRE/CVE (visible in SVN)
2007-08-28 1.1	reworked, added fix, official release


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=================================

fetchmail will generate warning messages in certain circumstances and 
send them to the local postmaster or the user starting it. Such warning 
messages can be generated, for instance, if logging into an upstream 
server fails repeatedly or if messages beyond the size limit (if 
configured, default: no limit) are left on the server.

If this warning message is then refused by the SMTP listener that 
fetchmail is forwarding the message to, fetchmail attempts to 
dereference a NULL pointer when trying to find out if it should allow a 
bounce message to be sent.

This causes fetchmail to crash and not collect further messages until it 
is restarted.

Risk assessment: low. In default configuration, fetchmail will talk 
through the loopback interface, that means to the SMTP server on the same 
computer as it is running on. Otherwise, it will commonly be configured 
to talk to trusted SMTP servers, so a compromise or misconfiguration of 
a trusted or the same computer is required to exploit this problem - 
which usually opens up much easier ways of denying service, or worse.


3. Solution
===========

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
   recompile and reinstall it.

b. Install fetchmail 6.3.9 or newer when it becomes available.  The 
   fetchmail source code is available from 
   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.

Note there are no workarounds presented here since all known workarounds 
are more intrusive than the actual solution.


A. Copyright, License and Warranty
==================================

(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.



B. Patch to remedy the problem
==============================

Index: sink.c
===================================================================
- --- sink.c	(revision 5118)
+++ sink.c	(revision 5119)
@@ -262,7 +262,7 @@
     const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
 
     /* don't bounce in reply to undeliverable bounces */
- -    if (!msg->return_path[0] ||
+    if (!msg || !msg->return_path[0] ||
 	strcmp(msg->return_path, "<>") == 0 ||
 	strcasecmp(msg->return_path, md1) == 0 ||
 	strncasecmp(msg->return_path, md2, strlen(md2)) == 0)

END OF fetchmail-SA-2007-02.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIV7WXvmGDOQUufZURAr8+AKC7GpAFvCTaHD69n+g39lWtPIheCwCglj/O
yh3P8bOmEn3a54h4aH2BFLA=
=NBQZ
-----END PGP SIGNATURE-----
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 06:18:47 +0000
lass="o">="esrs-design-notes.html">Eric S. Raymond's (ESR's) design notes.</a> The new maintainers don't agree with some of the decisions ESR made previously, and the differences and new directions will be laid out in this document. It is therefore a sort of a TODO document, until the necessary code revisions have been made.</p> <h2>Security</h2> <p>Fetchmail was handed over in a pretty poor shape, security-wise. It will happily talk to the network with root privileges, use sscanf() to read remotely received data into fixed-length stack-based buffers without length limitation and so on. A full audit is required and security concepts will have to be applied. Random bits are:</p> <ul> <li>code talking to the network does not require root privileges and needs to run without root permissions</li> <li>all input must be validated, all strings must be length checked, all integers range checked</li> <li>all types will need to be reviewed whether they are signed or unsigned</li> </ul> <h2>SMTP forwarding</h2> <p>Fetchmail's multidrop and rewrite options will process addresses received from remote sites. Special care must be taken so these features cannot be abused to relay mail to foreign sites.</p> <p>ESR's attempt to make fetchmail use SMTP exclusively failed, fetchmail got LMTP and --mda options &ndash; the latter has a lot of flaws unfortunately, is inconsistent with the SMTP forwarder and needs to be reviewed and probably bugfixed. --mda doesn't properly work with multiple recipients, it cannot properly communicate errors and is best avoided for now.</p> <h2>Server-side vs. client-side state.</h2> <h3>Why we need client-side tracking</h3> <p>ESR asserted that server-side state were essential and those persons repsonsible for removing the LAST command from POP3 deserved to suffer. ESR is right in stating that the POP3 UID tracks which messages have been read <em>by this client</em> &ndash; and that is exactly what we need to do.</p> <p>If fetchmail is supposed to retrieve all mail from a mailbox reliably, without being disturbed by someone occasionally using another client on another host, or a webmailer, or similar, then <em>client</em>-side tracking of the state is indispensable. This is also needed to match behavior to ETRN and ODMR or to support read-only mailboxes in --keep mode.</p> <h3>Present and future</h3> <p>Fetchmail supports client-side state in POP3 if the UIDL option is used (which is strongly recommended). Similar effort needs to be made to track IMAP state by means of UIDVALIDITY and UID.</p> <p>This will also mean that the UID handling code be revised an perhaps use one file per account or per folder.</p> <h2>Concurrent queries/concurrent fetchmail instances</h2> <p>ESR refused to make fetchmail query multiple hosts or accounts concurrently, on the grounds that finer-grained locks would be hard to implement portably.</p> <p>The idea of using one file per folder or account to track UIDs on the client-side will make solving this locking problem easy &ndash; the lock can be placed on the UID file instead.</p> <h2>Multidrop issues</h2> <p>Fetchmail tries to guess recipients from headers that are not routing relevant, for instance, To:, Cc:, or Resent-headers (which are rare anyways). It is important that fetchmail insists on the real envelope operation for multidrop. This is detailed in <a href="http://home.pages.de/~mandree/mail/multidrop">my article &quot;Requisites for working multidrop mailboxes&quot;</a>.</p> <p>As Terry Lambert pointed out in the FreeBSD-arch mailing list on 2001-02-17 under the subject "UUCP must stay; fetchmail sucks", fetchmail performs DNS MX lookups to determine domains for which multidrop is valid, on the assumption that the receiving SMTP host upstream were the same as the IMAP or POP3 server.</p> <hr /> <table width="100%" cellpadding="0" summary="Canned page footer"> <tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a></td> <td width="30%" align="right">$Date$</td> </tr> </table> <br clear="left" /> <address>Matthias Andree <a href="mailto:matthias.andree@gmx.de">&lt;matthias.andree@gmx.de&gt;</a></address> </body> </html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 06:18:47 +0000