-- DRAFT - XXX - DRAFT -
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
-Topics: Denial of service in debug output.
+Topics: Denial of service in debug output
Author: Matthias Andree
-Version: 0.1 XXX
-Announced: XXX
-Type: Unbounded allocation of memory until exhaustion.
-Impact: Denial of service.
+Version: 1.0
+Announced: 2010-05-06
+Type: Unbounded allocation of memory until exhaustion
+Impact: Denial of service
Danger: low
CVE Name: CVE-2010-1167
-CVSSv2: XXX
+CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C)
+CVSS scores: 3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2
+ This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
Project URL: http://www.fetchmail.info/
Not affected: fetchmail release 6.3.17 and newer
-Corrected: 2010-04-18 Git (XXX)
+Corrected: 2010-04-24 Git, required commits:
+ 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3
+ ec06293134b85876f9201d8a52b844c41581b2b3
+
+ 2010-04-30 fetchmail 6.3.17-pre1 tarball
+
+ 2010-05-06 fetchmail 6.3.17 release tarball
0. Release history
==================
2010-04-18 0.1 first draft (visible in SVN and through oss-security)
-XXX
+2010-04-19 0.2 add note announcements may appear before releases
+2010-04-20 0.3 add CVE name, fix Type:
+2010-04-24 0.4 revise patch
+2010-04-29 0.5 add info on contributing/mitigating factors
+2010-05-06 1.0 complete
1. Background
and reallocate a bigger one (with linearly increasing buffer size), and repeat,
until the allocation fails. At that point, fetchmail will abort.
+The exact combination of contributing and mitigating factors is not
+fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when
+printing invalid sequences through a %.*s format string in multibyte
+locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not.
+However, the issue is a genuine fetchmail bug that deserves a fix.
+
Note that the "Affects:" line above may be inaccurate, and it may be that
versions before 5.6.6 are actually unaffected. The author was unable to
compile such old fetchmail versions to verify the existence of the bug.
(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
To view a copy of this license, visit
-http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
Creative Commons
-171 Second Street
-Suite 300
-SAN FRANCISCO, CALIFORNIA 94105
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
USA
diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
---- a/rfc822.c
+- --- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
#include <stdlib.h>
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_build(stdout, GT_("About to rewrite %.*s...\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_build(stdout, GT_("About to rewrite %.*s...\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
+ xfree(cp);
}
#ifndef MAIN
-- if (outlevel >= O_DEBUG)
-- report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
-- (int)BEFORE_EOL(buf), buf);
+- - if (outlevel >= O_DEBUG)
+- - report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
+- - (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_complete(stdout, GT_("...rewritten version is %s.\n"),
+ (cp = sdump(buf, BEFORE_EOL(buf))));
*length = strlen(buf);
return(buf);
diff --git a/uid.c b/uid.c
-index fdc6f5d..d813bee 100644
---- a/uid.c
+index fdc6f5d..9a62ee2 100644
+- --- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
/*
* Machinery for handling UID lists live here. This is mainly to support
-@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
+@@ -249,8 +250,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
+ {
+ report_build(stdout, GT_("Old UID list from %s:"),
+ ctl->server.pollname);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
++ for (idp = ctl->oldsaved; idp; idp = idp->next) {
++ char *t = sdump(idp->id, strlen(idp->id));
++ report_build(stdout, " %s", t);
++ free(t);
++ }
+ if (!idp)
+ report_build(stdout, GT_(" <empty>"));
+ report_complete(stdout, "\n");
+@@ -260,8 +264,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
if (uidlcount)
{
report_build(stdout, GT_("Scratch list of UIDs:"));
-- for (idp = scratchlist; idp; idp = idp->next)
-- report_build(stdout, " %s", idp->id);
+- - for (idp = scratchlist; idp; idp = idp->next)
+- - report_build(stdout, " %s", idp->id);
+ for (idp = scratchlist; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s", t);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
-@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
+@@ -517,8 +524,11 @@ void uid_swap_lists(struct query *ctl)
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
else
report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
-- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
-@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
+@@ -567,8 +577,11 @@ void uid_discard_new_list(struct query *ctl)
/* this is now a merged list! the mails which were seen in this
* poll are marked here. */
report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
-- for (idp = ctl->oldsaved; idp; idp = idp->next)
-- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+- - for (idp = ctl->oldsaved; idp; idp = idp->next)
+- - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVpfQCcD3U6m1MbJOFZV4FgI7e042vF
+HcEAn0j6ZFwp9dh2G7PJSkN9CM0XazyJ
+=JUs1
+-----END PGP SIGNATURE-----