1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
6 Topics: Heap overrun in verbose SSL certificate information display.
8 Author: Matthias Andree
11 Type: malloc() Buffer overrun with printable characters
12 Impact: Code injection (difficult).
15 CVE Name: CVE-2010-0562
16 CVSSv2: (AV:N/AC:H/Au:N/C:N/I:C/A:P/E:U/RL:O/RC:C) proposed
17 URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
18 Project URL: http://www.fetchmail.info/
20 Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13
22 Not affected: fetchmail release 6.3.14 and newer
24 Corrected: 2010-02-04 fetchmail SVN (r5467)
25 Git (f1c7607615ebd48807db6170937fe79bb89d47d4)
26 2010-02-05 fetchmail release 6.3.14
32 2010-02-04 0.1 first draft (visible in SVN and through oss-security)
33 2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde)
34 2010-02-09 1.1 added CVE/CVSS, Announced: date
40 fetchmail is a software package to retrieve mail from remote POP2, POP3,
41 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
42 message delivery agents. It supports SSL and TLS security layers through
43 the OpenSSL library, if enabled at compile time and if also enabled at
47 2. Problem description and Impact
48 =================================
50 In verbose mode, fetchmail prints X.509 certificate subject and issuer
51 information to the user, and counts and allocates a malloc() buffer for
54 If the material to be displayed contains characters with high bit set
55 and the platform treats the "char" type as signed, this can cause a heap
56 buffer overrun because non-printing characters are escaped as
57 \xFF..FFnn, where nn is 80..FF in hex.
59 This might be exploitable to inject code if
60 - - fetchmail is run in verbose mode
62 - - the host running fetchmail considers char signed
64 - - the server uses malicious certificates with non-printing characters
65 that have the high bit set
67 - - these certificates manage to inject shell-code that consists purely of
70 It is believed to be difficult to achieve all this.
76 There are two alternatives, either of them by itself is sufficient:
78 a. Apply the patch found in section B of this announcement to
79 fetchmail 6.3.13, recompile and reinstall it.
81 b. Install fetchmail 6.3.14 or newer after it will have become available.
82 The fetchmail source code is always available from
83 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
89 Run fetchmail without and verbose options.
92 A. Copyright, License and Warranty
93 ==================================
95 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
98 This work is licensed under the Creative Commons
99 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
100 To view a copy of this license, visit
101 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
106 SAN FRANCISCO, CALIFORNIA 94105
110 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
111 Use the information herein at your own risk.
114 B. Patch to remedy the problem
115 ==============================
117 Note that when taking this from a GnuPG clearsigned file, the lines
118 starting with a "-" character are prefixed by another "- " (dash +
119 blank) combination. Either feed this file through GnuPG to strip them,
120 or strip them manually. You may want to use the "-p1" flag to patch.
122 Whitespace differences can usually be ignored by invoking "patch -l",
123 so try this if the patch does not apply.
127 @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
128 if (isprint((unsigned char)in[i])) {
131 - - oi += sprintf(oi, "\\x%02X", in[i]);
132 + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
137 END OF fetchmail-SA-2010-01.txt
138 -----BEGIN PGP SIGNATURE-----
139 Version: GnuPG v2.0.12 (GNU/Linux)
141 iEYEARECAAYFAktxLWcACgkQvmGDOQUufZUGBQCg8AU5mXRaGBo+tETsGYjFX10m
142 6SYAnA6IVIeoTjKvspD8BnLLd0yGU2iw
144 -----END PGP SIGNATURE-----