1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode
6 Topics: fetchmail denial of service in NTLM protocol phase
8 Author: Matthias Andree
11 Type: crash while reading from bad memory location
12 Impact: fetchmail segfaults and aborts, stalling inbound mail
14 Acknowledgment: J. Porter Clark
16 CVE Name: CVE-2012-3482
17 URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
18 Project URL: http://www.fetchmail.info/
20 Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
21 when compiled with NTLM support enabled
23 Not affected: - fetchmail releases compiled with NTLM support disabled
24 - fetchmail releases 6.3.22 and newer
26 Corrected in: 2012-08-13 Git, among others, see commit
27 3fbc7cd331602c76f882d1b507cd05c1d824ba8b
29 2012-08-xx fetchmail 6.3.22 release tarball
36 2012-08-14 0.2 added CVE ID
42 fetchmail is a software package to retrieve mail from remote POP3, IMAP,
43 ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
44 message delivery agents. fetchmail supports SSL and TLS security layers
45 through the OpenSSL library, if enabled at compile time and if also
46 enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
47 well as in-band-negotiated "STARTTLS" and "STLS" modes through the
48 regular protocol ports.
51 2. Problem description and Impact
52 =================================
54 Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
55 authentication request, but never checked if the received response was
56 NTLM protocol exchange, or a server-side error message. Instead,
57 fetchmail tried to decode the error message as though it were
58 base64-encoded protocol exchange, and could then segfault, subject to
59 verbosity and other circumstances, while reading data from bad memory
66 Install fetchmail 6.3.22 or newer.
68 The fetchmail source code is always available from
69 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
71 Distributors are encouraged to review the NEWS file and move forward to
72 6.3.22, rather than backport individual security fixes, because doing so
73 routinely misses other fixes crucial to fetchmail's proper operation,
74 for which no security announcements are issued, or documentation.
76 Fetchmail 6.3.X releases have always been made with a focus on unchanged
77 user and program interfaces so as to avoid disruptions when upgrading
78 from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
79 interface incompatibly.
82 A. Copyright, License and Non-Warranty
83 ======================================
85 (C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
88 This work is licensed under the
89 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
91 To view a copy of this license, visit
92 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
98 MOUNTAIN VIEW, CALIFORNIA 94041
102 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
103 Use the information herein at your own risk.
105 END of fetchmail-SA-2012-02
106 -----BEGIN PGP SIGNATURE-----
107 Version: GnuPG v1.4.11 (GNU/Linux)
109 iEYEARECAAYFAlAp5g0ACgkQvmGDOQUufZXtLwCg54tPXJZAXauGxJ77oRGox49g
110 WUIAnizjQ4AvBSzk3Oraqv+WCS+8wiMb
112 -----END PGP SIGNATURE-----