-- DRAFT - XXX - DRAFT -
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
-Topics: Denial of service in debug output.
+Topics: Denial of service in debug output
Author: Matthias Andree
-Version: 0.1 XXX
-Announced: XXX
-Type: malloc() Buffer overrun with printable characters
-Impact: Denial of service.
+Version: 1.0
+Announced: 2010-05-06
+Type: Unbounded allocation of memory until exhaustion
+Impact: Denial of service
Danger: low
-CVE Name: CVE-2010-XXXX
-CVSSv2: XXX
+CVE Name: CVE-2010-1167
+CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C)
+CVSS scores: 3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2
+ This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
Project URL: http://www.fetchmail.info/
Not affected: fetchmail release 6.3.17 and newer
-Corrected: 2010-04-18 Git (XXX)
+Corrected: 2010-04-24 Git, required commits:
+ 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3
+ ec06293134b85876f9201d8a52b844c41581b2b3
+
+ 2010-04-30 fetchmail 6.3.17-pre1 tarball
+
+ 2010-05-06 fetchmail 6.3.17 release tarball
0. Release history
==================
2010-04-18 0.1 first draft (visible in SVN and through oss-security)
-XXX
+2010-04-19 0.2 add note announcements may appear before releases
+2010-04-20 0.3 add CVE name, fix Type:
+2010-04-24 0.4 revise patch
+2010-04-29 0.5 add info on contributing/mitigating factors
+2010-05-06 1.0 complete
1. Background
and reallocate a bigger one (with linearly increasing buffer size), and repeat,
until the allocation fails. At that point, fetchmail will abort.
+The exact combination of contributing and mitigating factors is not
+fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when
+printing invalid sequences through a %.*s format string in multibyte
+locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not.
+However, the issue is a genuine fetchmail bug that deserves a fix.
+
Note that the "Affects:" line above may be inaccurate, and it may be that
versions before 5.6.6 are actually unaffected. The author was unable to
compile such old fetchmail versions to verify the existence of the bug.
fetchmail 6.3.14 or newer, recompile and reinstall it.
b. Install fetchmail 6.3.17 or newer after it will have become available.
+ (Note that the announcements may be publicly visible quite some time
+ before the release is made, particularly for minor bugs.)
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
---- a/rfc822.c
+- --- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
#include <stdlib.h>
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_build(stdout, GT_("About to rewrite %.*s...\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_build(stdout, GT_("About to rewrite %.*s...\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
+ xfree(cp);
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_complete(stdout, GT_("...rewritten version is %s.\n"),
+ (cp = sdump(buf, BEFORE_EOL(buf))));
*length = strlen(buf);
return(buf);
diff --git a/uid.c b/uid.c
-index fdc6f5d..d813bee 100644
---- a/uid.c
+index fdc6f5d..9a62ee2 100644
+- --- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
/*
* Machinery for handling UID lists live here. This is mainly to support
-@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
+@@ -249,8 +250,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
+ {
+ report_build(stdout, GT_("Old UID list from %s:"),
+ ctl->server.pollname);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
++ for (idp = ctl->oldsaved; idp; idp = idp->next) {
++ char *t = sdump(idp->id, strlen(idp->id));
++ report_build(stdout, " %s", t);
++ free(t);
++ }
+ if (!idp)
+ report_build(stdout, GT_(" <empty>"));
+ report_complete(stdout, "\n");
+@@ -260,8 +264,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
if (uidlcount)
{
report_build(stdout, GT_("Scratch list of UIDs:"));
-- for (idp = scratchlist; idp; idp = idp->next)
-- report_build(stdout, " %s", idp->id);
+- - for (idp = scratchlist; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
+ for (idp = scratchlist; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s", t);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
-@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
+@@ -517,8 +524,11 @@ void uid_swap_lists(struct query *ctl)
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
else
report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
-- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
-@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
+@@ -567,8 +577,11 @@ void uid_discard_new_list(struct query *ctl)
/* this is now a merged list! the mails which were seen in this
* poll are marked here. */
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
-- for (idp = ctl->oldsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.12 (GNU/Linux)
+
+iEYEARECAAYFAkviiHoACgkQvmGDOQUufZUfiQCeIl/RlnUEciNLxY3ykQSgFzDF
+/BMAoKMiJoD4cjGcaN/5CvdIgktKExYB
+=dC/g
+-----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blobdiff