+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.
Topics: Heap overrun in verbose SSL certificate information display.
Author: Matthias Andree
Version: 1.0
-Announced:
+Announced: 2010-02-05
Type: malloc() Buffer overrun with printable characters
Impact: Code injection (difficult).
Danger: low
-CVSSv2 vectors:
-CVE Name:
+CVE Name: CVE-2010-0562
+CVSSv2: (AV:N/AC:H/Au:N/C:N/I:C/A:P/E:U/RL:O/RC:C) proposed
URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
Project URL: http://www.fetchmail.info/
Not affected: fetchmail release 6.3.14 and newer
Corrected: 2010-02-04 fetchmail SVN (r5467)
+ Git (f1c7607615ebd48807db6170937fe79bb89d47d4)
+ 2010-02-05 fetchmail release 6.3.14
0. Release history
==================
-2010-02-04 0.1 first draft (visible in SVN)
+2010-02-04 0.1 first draft (visible in SVN and through oss-security)
+2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde)
+2010-02-09 1.1 added CVE/CVSS, Announced: date
1. Background
\xFF..FFnn, where nn is 80..FF in hex.
This might be exploitable to inject code if
-- fetchmail is run in verbose mode
+- - fetchmail is run in verbose mode
AND
-- the host running fetchmail considers char unsigned
+- - the host running fetchmail considers char signed
AND
-- the server uses malicious certificates with non-printing characters
+- - the server uses malicious certificates with non-printing characters
that have the high bit set
AND
-- these certificates manage to inject shell-code that consists purely of
+- - these certificates manage to inject shell-code that consists purely of
printable characters.
It is believed to be difficult to achieve all this.
(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
To view a copy of this license, visit
-http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
Creative Commons
-171 Second Street
-Suite 300
-SAN FRANCISCO, CALIFORNIA 94105
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
USA
Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.
---- a/sdump.c
+- --- a/sdump.c
+++ b/sdump.c
@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
if (isprint((unsigned char)in[i])) {
*(oi++) = in[i];
} else {
-- oi += sprintf(oi, "\\x%02X", in[i]);
+- - oi += sprintf(oi, "\\x%02X", in[i]);
+ oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
}
}
*oi = '\0';
END OF fetchmail-SA-2010-01.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZX0pACg7jUxqFQzdhdVDXk/izXBNkfg
+ZBgAnAhDK4mYPoCzoiaJhEHM6rET4W+v
+=AX1N
+-----END PGP SIGNATURE-----