1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2007-02: Crash when a local warning message is rejected
6 Topics: Crash when a fetchmail-generated warning message is rejected
8 Author: Matthias Andree
11 Type: NULL pointer dereference trigged by outside circumstances
12 Impact: denial of service possible
14 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
17 CVE Name: CVE-2007-4565
18 URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
19 Project URL: http://www.fetchmail.info/
21 Affects: fetchmail release < 6.3.9 exclusively
23 Not affected: fetchmail release 6.3.9 and newer
24 fetchmail releases < 4.6.8 exclusively
26 Corrected: 2007-07-29 fetchmail SVN (rev 5119)
32 2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN)
33 2007-08-28 1.1 reworked, added fix, official release
39 fetchmail is a software package to retrieve mail from remote POP2, POP3,
40 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
41 message delivery agents.
43 fetchmail ships with a graphical, Python/Tkinter based configuration
44 utility named "fetchmailconf" to help the user create configuration (run
45 control) files for fetchmail.
48 2. Problem description and Impact
49 =================================
51 fetchmail will generate warning messages in certain circumstances and
52 send them to the local postmaster or the user starting it. Such warning
53 messages can be generated, for instance, if logging into an upstream
54 server fails repeatedly or if messages beyond the size limit (if
55 configured, default: no limit) are left on the server.
57 If this warning message is then refused by the SMTP listener that
58 fetchmail is forwarding the message to, fetchmail attempts to
59 dereference a NULL pointer when trying to find out if it should allow a
60 bounce message to be sent.
62 This causes fetchmail to crash and not collect further messages until it
65 Risk assessment: low. In default configuration, fetchmail will talk
66 through the loopback interface, that means to the SMTP server on the same
67 computer as it is running on. Otherwise, it will commonly be configured
68 to talk to trusted SMTP servers, so a compromise or misconfiguration of
69 a trusted or the same computer is required to exploit this problem -
70 which usually opens up much easier ways of denying service, or worse.
76 There are two alternatives, either of them by itself is sufficient:
78 a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
79 recompile and reinstall it.
81 b. Install fetchmail 6.3.9 or newer when it becomes available. The
82 fetchmail source code is available from
83 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
85 Note there are no workarounds presented here since all known workarounds
86 are more intrusive than the actual solution.
89 A. Copyright, License and Warranty
90 ==================================
92 (C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
95 This work is licensed under the Creative Commons
96 Attribution-NonCommercial-NoDerivs German License. To view a copy of
97 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
98 or send a letter to Creative Commons; 559 Nathan Abbott Way;
99 Stanford, California 94305; USA.
101 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
102 Use the information herein at your own risk.
106 B. Patch to remedy the problem
107 ==============================
110 ===================================================================
111 - --- sink.c (revision 5118)
112 +++ sink.c (revision 5119)
114 const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
116 /* don't bounce in reply to undeliverable bounces */
117 - - if (!msg->return_path[0] ||
118 + if (!msg || !msg->return_path[0] ||
119 strcmp(msg->return_path, "<>") == 0 ||
120 strcasecmp(msg->return_path, md1) == 0 ||
121 strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
123 END OF fetchmail-SA-2007-02.txt
124 -----BEGIN PGP SIGNATURE-----
125 Version: GnuPG v1.4.5 (GNU/Linux)
127 iD8DBQFIV7WXvmGDOQUufZURAr8+AKC7GpAFvCTaHD69n+g39lWtPIheCwCglj/O
128 yh3P8bOmEn3a54h4aH2BFLA=
130 -----END PGP SIGNATURE-----