Topic: password exposure in fetchmailconf
Author: Matthias Andree
-Version: 1.00
-Announced: 2005-XX-XX
+Version: 1.01
+Announced: 2005-10-21
Type: insecure creation of file
Impact: passwords are written to a world-readable file
-Danger: low: the time window during which the passwords are
- readable is small.
+Danger: medium
+Credits: Thomas Wolff, Miloslav Trmac for pointing out
+ that fetchmailconf 1.43.1 was also flawed
CVE Name: CAN-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmail version 6.2.5
fetchmail version 6.2.0
- fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
- (other versions have not been checked but are presumed
- affected)
+ fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
+ fetchmailconf 1.43.1 (shipped separately, now withdrawn)
+ (other versions have not been checked but are presumed affected)
-Not affected: fetchmail 6.2.9-rc6 (XX not released yet)
+Not affected: fetchmail 6.2.9-rc6
+ fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
+ fetchmailconf 1.49 (shipped with 6.2.9-rc6)
fetchmail 6.3.0 (not released yet)
- fetchmailconf 1.43.1
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
- 2005-09-28 - released fetchmailconf-1.43.1
- XX (add date of 6.2.9-rc6 release here)
+ 2005-10-21 - released fetchmailconf-1.43.2
+ 2005-10-21 - released fetchmail 6.2.9-rc6
0. Release history
+==================
-2005-XX-XX 1.00 - Initial announcement
+2005-10-21 1.00 (shipped with -rc6)
+2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4,
+ added Credits)
1. Background
+=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
control) files for fetchmail.
2. Problem description and Impact
+=================================
The fetchmailconf program before and excluding version 1.49 opened the
run control file, wrote the configuration to it, and only then changed
sensitive password information.
3. Workaround
+=============
-Run "umask 077", then run "fetchmailconf" from the same shell.
+Run "umask 077", then run "fetchmailconf" from the same shell. After
+fetchmailconf has finished, you can restore your old umask.
4. Solution
+===========
-Download fetchmailconf-1.43.1.gz from fetchmail's project site
+For users of fetchmail-6.2.5.2:
+-------------------------------
+Download fetchmailconf-1.43.2.gz from fetchmail's project site
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
gunzip it, then replace your existing fetchmailconf with it.
-Alternatively, apply this patch (you need to save this announcement
-unaltered to a file unless you are sure that your system preserves HTAB
-characters on copy and paste operations) to fetchmailconf and install
-the patched version: (the patch, with modified version number and in
-unified format, is also available from the URL above).
-
-*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005
---- ./fetchmailconf Wed Sep 28 03:33:11 2005
-***************
-*** 860,871 ****
- pass
- fm = open(self.outfile, 'w')
- if fm:
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
-- if fm != sys.stdout:
-- os.chmod(self.outfile, 0600)
- self.destruct()
-
- #
---- 860,871 ----
- pass
- fm = open(self.outfile, 'w')
- if fm:
-+ if fm != sys.stdout:
-+ os.chmod(self.outfile, 0600)
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
- self.destruct()
-
- #
+For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:
+---------------------------------------------------------
+update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
+<https://developer.berlios.de/project/showfiles.php?group_id=1824>
A. References
+=============
fetchmail home page: <http://fetchmail.berlios.de/>
B. Copyright, License and Warranty
+==================================
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.