1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2008-01: Crash on large log messages in verbose mode
6 Topics: Crash in large log messages in verbose mode.
8 Author: Matthias Andree
11 Type: Dereferencing garbage pointer triggered by outside circumstances
12 Impact: denial of service possible
14 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)
16 Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
17 CVE Name: CVE-2008-2711
18 URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
19 Project URL: http://www.fetchmail.info/
21 Affects: fetchmail release before and excluding 6.3.9
22 fetchmail release candidate 6.3.9-rc1
24 Not affected: fetchmail release 6.3.9 and newer
25 fetchmail release candidate 6.3.9-rc2 and newer
26 systems without varargs support.
28 Corrected: 2008-06-24 fetchmail SVN (rev 5205)
30 References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>
31 <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
37 2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN,
38 posted to oss-security)
39 2008-06-17 1.0 published on http://www.fetchmail.info/
40 2008-06-17 1.1 Corrected typo in Type: above (trigged -> triggered)
41 2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel)
47 fetchmail is a software package to retrieve mail from remote POP2, POP3,
48 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
49 message delivery agents.
51 fetchmail ships with a graphical, Python/Tkinter based configuration
52 utility named "fetchmailconf" to help the user create configuration (run
53 control) files for fetchmail.
56 2. Problem description and Impact
57 =================================
59 Gunter Nau reported fetchmail crashing on some messages; further
60 debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
61 dug up that this happened when fetchmail was trying to print, in -v -v
62 verbose level, headers exceeding 2048 bytes. In this situation,
63 fetchmail would resize the buffer and fill in further parts of the
64 message, but forget to reinitialize its va_list typed source pointer,
65 thus reading data from a garbage address found on the stack at
66 addresses above the function arguments the caller passed in; usually
67 that would be the caller's stack frame.
69 It is unknown whether code can be injected remotely, but given that
70 the segmentation fault is caused by read accesses, the relevant data
71 is not under the remote attacker's control and no buffer overrun
72 situation is present that would allow altering program /flow/, it is
73 deemed rather unlikely that code can be injected.
75 Note that the required -vv configuration at hand is both non-default
76 and also not common in automated (cron job) setups, but usually used
77 in manual debugging, so not many systems would be affected by the
78 problem. Nonetheless, in vulnerable configurations, it is remotely
79 exploitable to effect a denial of service attack.
86 There are two alternatives, either of them by itself is sufficient:
88 a. Apply the patch found in section B of this announcement to
89 fetchmail 6.3.8, recompile and reinstall it.
91 b. Install fetchmail 6.3.9 or newer after it will have become available.
92 The fetchmail source code is always available from
93 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
99 Run fetchmail at low verbosity, avoid using two or three -v arguments;
100 internal messages are short and do not contain external message
101 sources so they do not cause buffer resizing. It is recommended to
102 replace the vulnerable code by a fixed version (see previous
103 section 3. Solution) as soon as reasonably possible.
106 A. Copyright, License and Warranty
107 ==================================
109 (C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
110 Some rights reserved.
112 This work is licensed under the Creative Commons
113 Attribution-NonCommercial-NoDerivs German License. To view a copy of
114 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
115 or send a letter to Creative Commons; 559 Nathan Abbott Way;
116 Stanford, California 94305; USA.
118 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
119 Use the information herein at your own risk.
122 B. Patch to remedy the problem
123 ==============================
125 Note that when taking this from a GnuPG clearsigned file, the lines
126 starting with a "-" character are prefixed by another "- " (dash +
127 blank) combination. Either feed this file through GnuPG to strip them,
128 or strip them manually.
130 Whitespace differences can usually be ignored by invoking "patch -l",
131 so try this if the patch does not apply.
133 diff --git a/report.c b/report.c
134 index 31d4e48..320e60b 100644
137 @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
140 #if defined(VA_START)
141 - - VA_START (args, message);
145 + * args has to be initialized before every call of vsnprintf(),
146 + * because vsnprintf() invokes va_arg macro and thus args is
147 + * undefined after the call.
149 + VA_START(args, message);
150 n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
155 && (unsigned)n < partial_message_size - partial_message_size_used)
156 @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
157 partial_message_size += 2048;
158 partial_message = REALLOC (partial_message, partial_message_size);
164 @@ -304,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist)
167 #if defined(VA_START)
168 - - VA_START (args, message);
171 + VA_START(args, message);
172 n = vsnprintf (partial_message + partial_message_size_used,
173 partial_message_size - partial_message_size_used,
177 /* old glibc versions return -1 for truncation */
179 @@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist)
180 partial_message_size += 2048;
181 partial_message = REALLOC (partial_message, partial_message_size);
188 END OF fetchmail-SA-2008-01.txt
189 -----BEGIN PGP SIGNATURE-----
190 Version: GnuPG v1.4.5 (GNU/Linux)
192 iD8DBQFIYPBuvmGDOQUufZURAuj8AJ9IbN/UMcML6NLKSI0keQzGVGzZSQCg+UCP
193 tUVNigLK8Xz40J2Eg7PD8Xs=
195 -----END PGP SIGNATURE-----