path: root/fetchmail-SA-2005-01.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2005-01: security announcement

Topic:		remote code injection vulnerability in fetchmail

Author:		Matthias Andree
Version:	1.04
Announced:	2005-07-21
Type:		buffer overrun/stack corruption/code injection
Impact:		account or system compromise possible through malicious
		or compromised POP3 servers
Danger:		high: in sensitive configurations, a full system
		compromise is possible
		(for 6.2.5.1: denial of service for the whole fetchmail
		system is possible)
CVE Name:	CVE-2005-2335
URL:		http://fetchmail.sourceforge.net/fetchmail-SA-2005-01.txt
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
		http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
		http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
		http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
		http://www.heise.de/security/news/meldung/62070
Thanks:		Edward J. Shornock (located the bug in UIDL code)
		Miloslav Trmac (pointed out 6.2.5.1 was faulty)
		Ludwig Nussel (provided minimal correct fix)

Affects:	fetchmail version 6.2.5.1 (denial of service)
		fetchmail version 6.2.5 (code injection)
		fetchmail version 6.2.0 (code injection)
		(other versions have not been checked)

Not affected:	fetchmail 6.2.5.2
		fetchmail 6.2.5.4
		fetchmail 6.3.0

		Older versions may not have THIS bug, but had been found
		to contain other security-relevant bugs.

Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
		2005-07-22                   fetchmail-patch-6.2.5.2 released
		2005-07-23                   fetchmail-6.2.5.2 tarball released
		2005-11-13                   fetchmail-6.2.5.4 tarball released
		2005-11-30                   fetchmail-6.3.0 tarball released

0. Release history

2005-07-20	1.00 - Initial announcement
2005-07-22	1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
		       and susceptible to denial of service through
		       single-byte read from 0 when either a Message-ID:
		       header was empty (in violation of RFC-822/2822)
		       or the UIDL response did not contain an UID (in
		       violation of RFC-1939).
		     - Add Credits.
		     - Add 6.2.5.1 failure details to sections 2 and 3
		     - Revise section 5 and B.
2005-07-26	1.02 - Revise section 0.
		     - Add FreeBSD VuXML URL for 6.2.5.1.
		     - Add heise security URL.
		     - Mention release of 6.2.5.2 tarball.
2005-10-27	1.03 - Update CVE Name after CVE naming change
2005-12-08	1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected"
		     - remove patch information

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

2. Problem description

The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack.  This affects POP3 and all of its
variants, for instance but not limited to APOP.

In fetchmail-6.2.5.1, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.

3. Impact

In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
multiple accounts.

In fetchmail-6.2.5.1, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash
fetchmail.

4. Workaround

No reasonable workaround can be offered at this time.

5. Solution

Upgrade your fetchmail package to version 6.3.0 or newer.

<http://sourceforge.net/projects/fetchmail/files/>

A. References

fetchmail home page: <http://fetchmail.sourceforge.net/>

B. Copyright, License and Warranty

(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2005-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWmcQCdGrMPh1DY+Uqi5gmRbL+uUsOd
BpQAn3pBsk4fCeMY61d2ltjcp+CXj8Bi
=WTmI
-----END PGP SIGNATURE-----

-04-20 0.3	add CVE name, fix Type:
2010-04-24 0.4	revise patch
2010-04-29 0.5	add info on contributing/mitigating factors
2010-05-06 1.0	complete


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.


2. Problem description and Impact
=================================

In debug mode (-v -v), fetchmail prints information that was obtained from the
upstream server (POP3 UIDL lists) or from message headers retrieved from it.
  If printing such information fails, for instance because there are invalid
multibyte character sequences in this information (message headers), fetchmail
will misinterpret this condition, and believe that the buffer was too small,
and reallocate a bigger one (with linearly increasing buffer size), and repeat,
until the allocation fails. At that point, fetchmail will abort.

The exact combination of contributing and mitigating factors is not
fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when
printing invalid sequences through a %.*s format string in multibyte
locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not.
However, the issue is a genuine fetchmail bug that deserves a fix.

Note that the "Affects:" line above may be inaccurate, and it may be that
versions before 5.6.6 are actually unaffected.  The author was unable to
compile such old fetchmail versions to verify the existence of the bug.
  Given that other security issues are present in such versions, those should
not be used, and the wider version range was listed as vulnerable to err
towards the safe.


3. Solution
===========

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
   fetchmail 6.3.14 or newer, recompile and reinstall it.

b. Install fetchmail 6.3.17 or newer after it will have become available.
   (Note that the announcements may be publicly visible quite some time
   before the release is made, particularly for minor bugs.)
   The fetchmail source code is always available from
   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.


4. Workaround
=============

Run fetchmail with at most one -v (--verbose) option.


A. Copyright, License and Warranty
==================================

(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to

Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.


B. Patch to remedy the problem
==============================

Note that when taking this from a GnuPG clearsigned file, the lines
starting with a "-" character are prefixed by another "- " (dash +
blank) combination. Either feed this file through GnuPG to strip them,
or strip them manually. You may want to use the "-p1" flag to patch.

Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.

diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
- --- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license.  Compile with -DMAIN to build the demonstrator.
 #include  <stdlib.h>
 
 #include "fetchmail.h"
+#include "sdump.h"
 
 #ifndef MAIN
 #include "i18n.h"
@@ -74,9 +75,10 @@ char *reply_hack(
     }
 
 #ifndef MAIN
- -    if (outlevel >= O_DEBUG)
- -	report_build(stdout, GT_("About to rewrite %.*s...\n"),
- -			(int)BEFORE_EOL(buf), buf);
+    if (outlevel >= O_DEBUG) {
+	report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
+	xfree(cp);
+    }
 
     /* make room to hack the address; buf must be malloced */
     for (cp = buf; *cp; cp++)
@@ -211,9 +213,12 @@ char *reply_hack(
     }
 
 #ifndef MAIN
- -    if (outlevel >= O_DEBUG)
- -	report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
- -			(int)BEFORE_EOL(buf), buf);
+    if (outlevel >= O_DEBUG) {
+	report_complete(stdout, GT_("...rewritten version is %s.\n"),
+			(cp = sdump(buf, BEFORE_EOL(buf))));
+	xfree(cp)
+    }
+
 #endif /* MAIN */
     *length = strlen(buf);
     return(buf);
diff --git a/uid.c b/uid.c
index fdc6f5d..9a62ee2 100644
- --- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
 
 #include "fetchmail.h"
 #include "i18n.h"
+#include "sdump.h"
 
 /*
  * Machinery for handling UID lists live here.  This is mainly to support
@@ -249,8 +250,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
 	    {
 		report_build(stdout, GT_("Old UID list from %s:"), 
 			     ctl->server.pollname);
- -		for (idp = ctl->oldsaved; idp; idp = idp->next)
- -		    report_build(stdout, " %s", idp->id);
+		for (idp = ctl->oldsaved; idp; idp = idp->next) {
+		    char *t = sdump(idp->id, strlen(idp->id));
+		    report_build(stdout, " %s", t);
+		    free(t);
+		}
 		if (!idp)
 		    report_build(stdout, GT_(" <empty>"));
 		report_complete(stdout, "\n");
@@ -260,8 +264,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
 	if (uidlcount)
 	{
 	    report_build(stdout, GT_("Scratch list of UIDs:"));
- -	    for (idp = scratchlist; idp; idp = idp->next)
- -		report_build(stdout, " %s", idp->id);
+	    for (idp = scratchlist; idp; idp = idp->next) {
+		char *t = sdump(idp->id, strlen(idp->id));
+		report_build(stdout, " %s", t);
+		free(t);
+	    }
 	    if (!idp)
 		report_build(stdout, GT_(" <empty>"));
 	    report_complete(stdout, "\n");
@@ -517,8 +524,11 @@ void uid_swap_lists(struct query *ctl)
 	    report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
 	else
 	    report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
- -	for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
- -	    report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+	for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
+	    char *t = sdump(idp->id, strlen(idp->id));
+	    report_build(stdout, " %s = %d", t, idp->val.status.mark);
+	    free(t);
+        }
 	if (!idp)
 	    report_build(stdout, GT_(" <empty>"));
 	report_complete(stdout, "\n");
@@ -567,8 +577,11 @@ void uid_discard_new_list(struct query *ctl)
 	/* this is now a merged list! the mails which were seen in this
 	 * poll are marked here. */
 	report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
- -	for (idp = ctl->oldsaved; idp; idp = idp->next)
- -	    report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+	for (idp = ctl->oldsaved; idp; idp = idp->next) {
+	    char *t = sdump(idp->id, strlen(idp->id));
+	    report_build(stdout, " %s = %d", t, idp->val.status.mark);
+	    free(t);
+	}
 	if (!idp)
 	    report_build(stdout, GT_(" <empty>"));
 	report_complete(stdout, "\n");
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkviiHoACgkQvmGDOQUufZUfiQCeIl/RlnUEciNLxY3ykQSgFzDF
/BMAoKMiJoD4cjGcaN/5CvdIgktKExYB
=dC/g
-----END PGP SIGNATURE-----