1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2007-02: Crash when a local warning message is rejected
6 Topics: Crash when a fetchmail-generated warning message is rejected
8 Author: Matthias Andree
11 Type: NULL pointer dereference trigged by outside circumstances
12 Impact: denial of service possible
14 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
17 CVE Name: CVE-2007-4565
18 URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
19 Project URL: http://www.fetchmail.info/
21 Affects: fetchmail release < 6.3.9 exclusively
23 Not affected: fetchmail release 6.3.9 and newer
24 fetchmail releases < 4.6.8 exclusively
26 Corrected: 2007-07-29 fetchmail SVN (rev 5119)
32 2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN)
33 2007-08-28 1.1 reworked, added fix, official release
39 fetchmail is a software package to retrieve mail from remote POP2, POP3,
40 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
41 message delivery agents.
43 fetchmail ships with a graphical, Python/Tkinter based configuration
44 utility named "fetchmailconf" to help the user create configuration (run
45 control) files for fetchmail.
48 2. Problem description and Impact
49 =================================
51 fetchmail will generate warning messages in certain circumstances and
52 send them to the local postmaster or the user starting it. Such warning
53 messages can be generated, for instance, if logging into an upstream
54 server fails repeatedly or if messages beyond the size limit (if
55 configured, default: no limit) are left on the server.
57 If this warning message is then refused by the SMTP listener that
58 fetchmail is forwarding the message to, fetchmail attempts to
59 dereference a NULL pointer when trying to find out if it should allow a
60 bounce message to be sent.
62 This causes fetchmail to crash and not collect further messages until it
65 Risk assessment: low. In default configuration, fetchmail will talk
66 through the loopback interface, that means to the SMTP server on the same
67 computer as it is running on. Otherwise, it will commonly be configured
68 to talk to trusted SMTP servers, so a compromise or misconfiguration of
69 a trusted or the same computer is required to exploit this problem -
70 which usually opens up much easier ways of denying service, or worse.
76 There are two alternatives, either of them by itself is sufficient:
78 a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
79 recompile and reinstall it.
81 b. Install fetchmail 6.3.9 or newer when it becomes available. The
82 fetchmail source code is available from
83 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
85 Note there are no workarounds presented here since all known workarounds
86 are more intrusive than the actual solution.
89 A. Copyright, License and Warranty
90 ==================================
92 (C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
95 This work is licensed under the
96 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
98 To view a copy of this license, visit
99 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
105 MOUNTAIN VIEW, CALIFORNIA 94041
109 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
110 Use the information herein at your own risk.
113 B. Patch to remedy the problem
114 ==============================
117 ===================================================================
118 - --- sink.c (revision 5118)
119 +++ sink.c (revision 5119)
121 const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
123 /* don't bounce in reply to undeliverable bounces */
124 - - if (!msg->return_path[0] ||
125 + if (!msg || !msg->return_path[0] ||
126 strcmp(msg->return_path, "<>") == 0 ||
127 strcasecmp(msg->return_path, md1) == 0 ||
128 strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
130 END OF fetchmail-SA-2007-02.txt
131 -----BEGIN PGP SIGNATURE-----
132 Version: GnuPG v1.4.11 (GNU/Linux)
134 iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWWKwCfX4Ri89SzzUcXYxughs1CdnAk
135 Z6IAniD4DzayVUR6UxA5K1OqX1CUDOhM
137 -----END PGP SIGNATURE-----