+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2005-02: security announcement
Topic: password exposure in fetchmailconf
Author: Matthias Andree
-Version: 1.00
-Announced: 2005-XX-XX
+Version: 1.03
+Announced: 2005-10-21
Type: insecure creation of file
Impact: passwords are written to a world-readable file
-Danger: low: the time window during which the passwords are
- readable is small.
-CVE Name: CAN-2005-XXXX
+Danger: medium
+Credits: Thomas Wolff, Miloslav Trmac for pointing out
+ that fetchmailconf 1.43.1 was also flawed
+CVE Name: CVE-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmail version 6.2.5
fetchmail version 6.2.0
- fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
- (other versions have not been checked but are presumed
- affected)
+ fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
+ fetchmailconf 1.43.1 (shipped separately, now withdrawn)
+ (other versions have not been checked but are presumed affected)
-Not affected: fetchmail 6.2.9-rc6 (XX not released yet)
- fetchmail 6.3.0 (not released yet)
- fetchmailconf 1.43.1
+Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
+ fetchmail 6.2.5.4
+ fetchmail 6.3.0
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
- 2005-09-28 - released fetchmailconf-1.43.1
- XX (add date of 6.2.9-rc6 release here)
+ 2005-10-21 - released fetchmailconf-1.43.2
+ 2005-11-13 - released fetchmail 6.2.5.4
+ 2005-11-30 - released fetchmail 6.3.0
0. Release history
+==================
-2005-XX-XX 1.00 - Initial announcement
+2005-10-21 1.00 - initial version (shipped with -rc6)
+2005-10-21 1.01 - marked 1.43.1 vulnerable
+ - revised section 4
+ - added Credits
+2005-10-27 1.02 - reformatted section 0
+ - updated CVE Name to new naming scheme
+2005-12-08 1.03 - update version information and solution
1. Background
+=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
control) files for fetchmail.
2. Problem description and Impact
+=================================
The fetchmailconf program before and excluding version 1.49 opened the
run control file, wrote the configuration to it, and only then changed
sensitive password information.
3. Workaround
+=============
-Run "umask 077", then run "fetchmailconf" from the same shell.
+Run "umask 077", then run "fetchmailconf" from the same shell. After
+fetchmailconf has finished, you can restore your old umask.
4. Solution
+===========
-Download fetchmailconf-1.43.1.gz from fetchmail's project site
-<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
-gunzip it, then replace your existing fetchmailconf with it.
-
-Alternatively, apply this patch (you need to save this announcement
-unaltered to a file unless you are sure that your system preserves HTAB
-characters on copy and paste operations) to fetchmailconf and install
-the patched version: (the patch, with modified version number and in
-unified format, is also available from the URL above).
-
-*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005
---- ./fetchmailconf Wed Sep 28 03:33:11 2005
-***************
-*** 860,871 ****
- pass
- fm = open(self.outfile, 'w')
- if fm:
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
-- if fm != sys.stdout:
-- os.chmod(self.outfile, 0600)
- self.destruct()
-
- #
---- 860,871 ----
- pass
- fm = open(self.outfile, 'w')
- if fm:
-+ if fm != sys.stdout:
-+ os.chmod(self.outfile, 0600)
- fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
- fm.write(`self.configuration`)
- if self.outfile:
- fm.close()
- self.destruct()
-
- #
+Download and install fetchmail 6.3.0 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
A. References
+=============
fetchmail home page: <http://fetchmail.berlios.de/>
B. Copyright, License and Warranty
+==================================
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END OF fetchmail-SA-2005-02.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy
+4rgAn037UM4pEf7E94HZQOmGUR//pM6q
+=q8j6
+-----END PGP SIGNATURE-----