1 fetchmail-SA-2005-01: security announcement
3 Topic: remote code injection vulnerability in fetchmail
5 Author: Matthias Andree
8 Type: buffer overrun/stack corruption/code injection
9 Impact: account or system compromise possible through malicious
10 or compromised POP3 servers
11 Danger: high: in sensitive configurations, a full system
12 compromise is possible
13 (for 6.2.5.1: denial of service for the whole fetchmail
15 CVE Name: CVE-2005-2335
16 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
18 http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
19 http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
20 http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
21 http://www.heise.de/security/news/meldung/62070
22 Thanks: Edward J. Shornock (located the bug in UIDL code)
23 Miloslav Trmac (pointed out 6.2.5.1 was faulty)
24 Ludwig Nussel (provided minimal correct fix)
26 Affects: fetchmail version 6.2.5.1 (denial of service)
27 fetchmail version 6.2.5 (code injection)
28 fetchmail version 6.2.0 (code injection)
29 (other versions have not been checked)
31 Not affected: fetchmail 6.2.5.2
33 fetchmail 6.3.0 (not released yet)
35 Older versions may not have THIS bug, but had been found
36 to contain other security-relevant bugs.
38 Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
39 2005-07-22 fetchmail-patch-6.2.5.2 released
40 2005-07-23 fetchmail-6.2.5.2 tarball released
44 2005-07-20 1.00 - Initial announcement
45 2005-07-22 1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
46 and susceptible to denial of service through
47 single-byte read from 0 when either a Message-ID:
48 header was empty (in violation of RFC-822/2822)
49 or the UIDL response did not contain an UID (in
50 violation of RFC-1939).
52 - Add 6.2.5.1 failure details to sections 2 and 3
53 - Revise section 5 and B.
54 2005-07-26 1.02 - Revise section 0.
55 - Add FreeBSD VuXML URL for 6.2.5.1.
56 - Add heise security URL.
57 - Mention release of 6.2.5.2 tarball.
58 2005-10-27 1.03 - Update CVE Name after CVE naming change
62 fetchmail is a software package to retrieve mail from remote POP2, POP3,
63 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
64 message delivery agents.
66 2. Problem description
68 The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
69 the UIDL) reads the responses returned by the POP3 server into
70 fixed-size buffers allocated on the stack, without limiting the input
71 length to the buffer size. A compromised or malicious POP3 server can
72 thus overrun fetchmail's stack. This affects POP3 and all of its
73 variants, for instance but not limited to APOP.
75 In fetchmail-6.2.5.1, the attempted fix prevented code injection via
76 POP3 UIDL, but introduced two possible NULL dereferences that can be
77 exploited to mount a denial of service attack.
81 In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
82 crash, or potentially make it execute code placed on the stack. In some
83 configurations, fetchmail is run by the root user to download mail for
86 In fetchmail-6.2.5.1, a server that responds with UID lines containing
87 only the article number but no UID (in violation of RFC-1939), or a
88 message without Message-ID when no UIDL support is available, can crash
93 No reasonable workaround can be offered at this time.
97 Upgrade your fetchmail package to version 6.2.5.2.
99 You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz,
100 or you can download a patch against fetchmail-6.2.5 if you already have
101 the 6.2.5 tarball. Either is available from:
103 <http://developer.berlios.de/project/showfiles.php?group_id=1824>
107 1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
108 had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
109 2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
110 3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
111 4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
112 5. now configure and build as usual - detailed instructions in the file
117 fetchmail home page: <http://fetchmail.berlios.de/>
119 B. Copyright, License and Warranty
121 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
122 Some rights reserved.
124 This work is licensed under the Creative Commons
125 Attribution-NonCommercial-NoDerivs German License. To view a copy of
126 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
127 or send a letter to Creative Commons; 559 Nathan Abbott Way;
128 Stanford, California 94305; USA.
130 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
131 Use the information herein at your own risk.
133 END OF fetchmail-SA-2005-01.txt