1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2005-02: security announcement
6 Topic: password exposure in fetchmailconf
8 Author: Matthias Andree
11 Type: insecure creation of file
12 Impact: passwords are written to a world-readable file
14 Credits: Thomas Wolff, Miloslav Trmac for pointing out
15 that fetchmailconf 1.43.1 was also flawed
16 CVE Name: CVE-2005-3088
17 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
19 Affects: fetchmail version 6.2.5.2
20 fetchmail version 6.2.5
21 fetchmail version 6.2.0
22 fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
23 fetchmailconf 1.43.1 (shipped separately, now withdrawn)
24 (other versions have not been checked but are presumed affected)
26 Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
30 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
31 2005-10-21 - released fetchmailconf-1.43.2
32 2005-11-13 - released fetchmail 6.2.5.4
33 2005-11-30 - released fetchmail 6.3.0
38 2005-10-21 1.00 - initial version (shipped with -rc6)
39 2005-10-21 1.01 - marked 1.43.1 vulnerable
42 2005-10-27 1.02 - reformatted section 0
43 - updated CVE Name to new naming scheme
44 2005-12-08 1.03 - update version information and solution
49 fetchmail is a software package to retrieve mail from remote POP2, POP3,
50 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
51 message delivery agents.
53 fetchmail ships with a graphical, Python/Tkinter based configuration
54 utility named "fetchmailconf" to help the user create configuration (run
55 control) files for fetchmail.
57 2. Problem description and Impact
58 =================================
60 The fetchmailconf program before and excluding version 1.49 opened the
61 run control file, wrote the configuration to it, and only then changed
62 the mode to 0600 (rw-------). Writing the file, which usually contains
63 passwords, before making it unreadable to other users, can expose
64 sensitive password information.
69 Run "umask 077", then run "fetchmailconf" from the same shell. After
70 fetchmailconf has finished, you can restore your old umask.
75 Download and install fetchmail 6.3.0 or a newer stable release from
76 fetchmail's project site at
77 <http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
82 fetchmail home page: <http://fetchmail.berlios.de/>
84 B. Copyright, License and Warranty
85 ==================================
87 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
90 This work is licensed under the Creative Commons
91 Attribution-NonCommercial-NoDerivs German License. To view a copy of
92 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
93 or send a letter to Creative Commons; 559 Nathan Abbott Way;
94 Stanford, California 94305; USA.
96 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
97 Use the information herein at your own risk.
99 END OF fetchmail-SA-2005-02.txt
100 -----BEGIN PGP SIGNATURE-----
101 Version: GnuPG v1.4.5 (GNU/Linux)
103 iD8DBQFIV7WWvmGDOQUufZURAlq/AKCx+EnXjnakBVkUjtdIh+moYOgIqACdERnd
104 TR05jtCG4JEb6iHz8AVcfOc=
106 -----END PGP SIGNATURE-----