1 fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
3 Topics: Heap overrun in verbose SSL certificate information display.
5 Author: Matthias Andree
8 Type: malloc() Buffer overrun with printable characters
9 Impact: Code injection (difficult).
14 URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
15 Project URL: http://www.fetchmail.info/
17 Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13
19 Not affected: fetchmail release 6.3.14 and newer
21 Corrected: 2010-02-04 fetchmail SVN (r5467)
27 2010-02-04 0.1 first draft (visible in SVN)
33 fetchmail is a software package to retrieve mail from remote POP2, POP3,
34 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
35 message delivery agents. It supports SSL and TLS security layers through
36 the OpenSSL library, if enabled at compile time and if also enabled at
40 2. Problem description and Impact
41 =================================
43 In verbose mode, fetchmail prints X.509 certificate subject and issuer
44 information to the user, and counts and allocates a malloc() buffer for
47 If the material to be displayed contains characters with high bit set
48 and the platform treats the "char" type as signed, this can cause a heap
49 buffer overrun because non-printing characters are escaped as
50 \xFF..FFnn, where nn is 80..FF in hex.
52 This might be exploitable to inject code if
53 - fetchmail is run in verbose mode
55 - the host running fetchmail considers char unsigned
57 - the server uses malicious certificates with non-printing characters
58 that have the high bit set
60 - these certificates manage to inject shell-code that consists purely of
63 It is believed to be difficult to achieve all this.
69 There are two alternatives, either of them by itself is sufficient:
71 a. Apply the patch found in section B of this announcement to
72 fetchmail 6.3.13, recompile and reinstall it.
74 b. Install fetchmail 6.3.14 or newer after it will have become available.
75 The fetchmail source code is always available from
76 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
82 Run fetchmail without and verbose options.
85 A. Copyright, License and Warranty
86 ==================================
88 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
91 This work is licensed under the Creative Commons
92 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
93 To view a copy of this license, visit
94 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
99 SAN FRANCISCO, CALIFORNIA 94105
103 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
104 Use the information herein at your own risk.
107 B. Patch to remedy the problem
108 ==============================
110 Note that when taking this from a GnuPG clearsigned file, the lines
111 starting with a "-" character are prefixed by another "- " (dash +
112 blank) combination. Either feed this file through GnuPG to strip them,
113 or strip them manually. You may want to use the "-p1" flag to patch.
115 Whitespace differences can usually be ignored by invoking "patch -l",
116 so try this if the patch does not apply.
120 @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
121 if (isprint((unsigned char)in[i])) {
124 - oi += sprintf(oi, "\\x%02X", in[i]);
125 + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
130 END OF fetchmail-SA-2010-01.txt