X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2005-02.txt;h=d46275e2de654bc964703ec9c7975fac1ff0548a;hb=e4dd196b137223195739b9e0f50ec2a8a02b3534;hp=874d08b142e3f0a07fe5b6dc87f164125bae5e3d;hpb=2864ace338540b266f17d8a1d85dc389fd446936;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2005-02.txt b/fetchmail-SA-2005-02.txt index 874d08b1..d46275e2 100644 --- a/fetchmail-SA-2005-02.txt +++ b/fetchmail-SA-2005-02.txt @@ -1,37 +1,50 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2005-02: security announcement Topic: password exposure in fetchmailconf Author: Matthias Andree -Version: 1.00 -Announced: 2005-XX-XX +Version: 1.03 +Announced: 2005-10-21 Type: insecure creation of file Impact: passwords are written to a world-readable file -Danger: low: the time window during which the passwords are - readable is small. -CVE Name: CAN-2005-XXXX +Danger: medium +Credits: Thomas Wolff, Miloslav Trmac for pointing out + that fetchmailconf 1.43.1 was also flawed +CVE Name: CVE-2005-3088 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt Affects: fetchmail version 6.2.5.2 fetchmail version 6.2.5 fetchmail version 6.2.0 - fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2) - (other versions have not been checked but are presumed - affected) + fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2) + fetchmailconf 1.43.1 (shipped separately, now withdrawn) + (other versions have not been checked but are presumed affected) -Not affected: fetchmail 6.2.9-rc6 (XX not released yet) - fetchmail 6.3.0 (not released yet) - fetchmailconf 1.43.1 +Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) + fetchmail 6.2.5.4 + fetchmail 6.3.0 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) - 2005-09-28 - released fetchmailconf-1.43.1 - XX (add date of 6.2.9-rc6 release here) + 2005-10-21 - released fetchmailconf-1.43.2 + 2005-11-13 - released fetchmail 6.2.5.4 + 2005-11-30 - released fetchmail 6.3.0 0. Release history +================== -2005-XX-XX 1.00 - Initial announcement +2005-10-21 1.00 - initial version (shipped with -rc6) +2005-10-21 1.01 - marked 1.43.1 vulnerable + - revised section 4 + - added Credits +2005-10-27 1.02 - reformatted section 0 + - updated CVE Name to new naming scheme +2005-12-08 1.03 - update version information and solution 1. Background +============= fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or @@ -42,6 +55,7 @@ utility named "fetchmailconf" to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact +================================= The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed @@ -50,67 +64,50 @@ passwords, before making it unreadable to other users, can expose sensitive password information. 3. Workaround +============= -Run "umask 077", then run "fetchmailconf" from the same shell. +Run "umask 077", then run "fetchmailconf" from the same shell. After +fetchmailconf has finished, you can restore your old umask. 4. Solution +=========== -Download fetchmailconf-1.43.1.gz from fetchmail's project site -, -gunzip it, then replace your existing fetchmailconf with it. - -Alternatively, apply this patch (you need to save this announcement -unaltered to a file unless you are sure that your system preserves HTAB -characters on copy and paste operations) to fetchmailconf and install -the patched version: (the patch, with modified version number and in -unified format, is also available from the URL above). - -*** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005 ---- ./fetchmailconf Wed Sep 28 03:33:11 2005 -*************** -*** 860,871 **** - pass - fm = open(self.outfile, 'w') - if fm: - fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time())) - fm.write(`self.configuration`) - if self.outfile: - fm.close() -- if fm != sys.stdout: -- os.chmod(self.outfile, 0600) - self.destruct() - - # ---- 860,871 ---- - pass - fm = open(self.outfile, 'w') - if fm: -+ if fm != sys.stdout: -+ os.chmod(self.outfile, 0600) - fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time())) - fm.write(`self.configuration`) - if self.outfile: - fm.close() - self.destruct() - - # +Download and install fetchmail 6.3.0 or a newer stable release from +fetchmail's project site at +. A. References +============= fetchmail home page: B. Copyright, License and Warranty +================================== (C) Copyright 2005 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-02.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy +4rgAn037UM4pEf7E94HZQOmGUR//pM6q +=q8j6 +-----END PGP SIGNATURE-----