1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2005-02: security announcement
6 Topic: password exposure in fetchmailconf
8 Author: Matthias Andree
11 Type: insecure creation of file
12 Impact: passwords are written to a world-readable file
14 Credits: Thomas Wolff, Miloslav Trmac for pointing out
15 that fetchmailconf 1.43.1 was also flawed
16 CVE Name: CVE-2005-3088
17 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
19 Affects: fetchmail version 6.2.5.2
20 fetchmail version 6.2.5
21 fetchmail version 6.2.0
22 fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
23 fetchmailconf 1.43.1 (shipped separately, now withdrawn)
24 (other versions have not been checked but are presumed affected)
26 Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
30 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
31 2005-10-21 - released fetchmailconf-1.43.2
32 2005-11-13 - released fetchmail 6.2.5.4
33 2005-11-30 - released fetchmail 6.3.0
38 2005-10-21 1.00 - initial version (shipped with -rc6)
39 2005-10-21 1.01 - marked 1.43.1 vulnerable
42 2005-10-27 1.02 - reformatted section 0
43 - updated CVE Name to new naming scheme
44 2005-12-08 1.03 - update version information and solution
49 fetchmail is a software package to retrieve mail from remote POP2, POP3,
50 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
51 message delivery agents.
53 fetchmail ships with a graphical, Python/Tkinter based configuration
54 utility named "fetchmailconf" to help the user create configuration (run
55 control) files for fetchmail.
57 2. Problem description and Impact
58 =================================
60 The fetchmailconf program before and excluding version 1.49 opened the
61 run control file, wrote the configuration to it, and only then changed
62 the mode to 0600 (rw-------). Writing the file, which usually contains
63 passwords, before making it unreadable to other users, can expose
64 sensitive password information.
69 Run "umask 077", then run "fetchmailconf" from the same shell. After
70 fetchmailconf has finished, you can restore your old umask.
75 Download and install fetchmail 6.3.0 or a newer stable release from
76 fetchmail's project site at
77 <http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
82 fetchmail home page: <http://fetchmail.berlios.de/>
84 B. Copyright, License and Warranty
85 ==================================
87 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
90 This work is licensed under the
91 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
93 To view a copy of this license, visit
94 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
100 MOUNTAIN VIEW, CALIFORNIA 94041
103 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
104 Use the information herein at your own risk.
106 END OF fetchmail-SA-2005-02.txt
107 -----BEGIN PGP SIGNATURE-----
108 Version: GnuPG v1.4.11 (GNU/Linux)
110 iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy
111 4rgAn037UM4pEf7E94HZQOmGUR//pM6q
113 -----END PGP SIGNATURE-----