1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
6 Topics: Heap overrun in verbose SSL certificate information display.
8 Author: Matthias Andree
11 Type: malloc() Buffer overrun with printable characters
12 Impact: Code injection (difficult).
15 CVE Name: to be assigned via oss-security@ list
16 URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
17 Project URL: http://www.fetchmail.info/
19 Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13
21 Not affected: fetchmail release 6.3.14 and newer
23 Corrected: 2010-02-04 fetchmail SVN (r5467)
24 2010-02-05 fetchmail release 6.3.14
30 2010-02-04 0.1 first draft (visible in SVN and through oss-security)
31 2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde)
37 fetchmail is a software package to retrieve mail from remote POP2, POP3,
38 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
39 message delivery agents. It supports SSL and TLS security layers through
40 the OpenSSL library, if enabled at compile time and if also enabled at
44 2. Problem description and Impact
45 =================================
47 In verbose mode, fetchmail prints X.509 certificate subject and issuer
48 information to the user, and counts and allocates a malloc() buffer for
51 If the material to be displayed contains characters with high bit set
52 and the platform treats the "char" type as signed, this can cause a heap
53 buffer overrun because non-printing characters are escaped as
54 \xFF..FFnn, where nn is 80..FF in hex.
56 This might be exploitable to inject code if
57 - - fetchmail is run in verbose mode
59 - - the host running fetchmail considers char signed
61 - - the server uses malicious certificates with non-printing characters
62 that have the high bit set
64 - - these certificates manage to inject shell-code that consists purely of
67 It is believed to be difficult to achieve all this.
73 There are two alternatives, either of them by itself is sufficient:
75 a. Apply the patch found in section B of this announcement to
76 fetchmail 6.3.13, recompile and reinstall it.
78 b. Install fetchmail 6.3.14 or newer after it will have become available.
79 The fetchmail source code is always available from
80 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
86 Run fetchmail without and verbose options.
89 A. Copyright, License and Warranty
90 ==================================
92 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
95 This work is licensed under the Creative Commons
96 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
97 To view a copy of this license, visit
98 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
103 SAN FRANCISCO, CALIFORNIA 94105
107 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
108 Use the information herein at your own risk.
111 B. Patch to remedy the problem
112 ==============================
114 Note that when taking this from a GnuPG clearsigned file, the lines
115 starting with a "-" character are prefixed by another "- " (dash +
116 blank) combination. Either feed this file through GnuPG to strip them,
117 or strip them manually. You may want to use the "-p1" flag to patch.
119 Whitespace differences can usually be ignored by invoking "patch -l",
120 so try this if the patch does not apply.
124 @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
125 if (isprint((unsigned char)in[i])) {
128 - - oi += sprintf(oi, "\\x%02X", in[i]);
129 + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
134 END OF fetchmail-SA-2010-01.txt
135 -----BEGIN PGP SIGNATURE-----
136 Version: GnuPG v2.0.12 (GNU/Linux)
138 iEYEARECAAYFAktrbs0ACgkQvmGDOQUufZWzMQCg49F/WJiOjGwWZKHHzBcfTgx/
139 sLIAmQHPO3mezy3Ku0O29b4AXHL2ZQNb
141 -----END PGP SIGNATURE-----