X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2007-02.txt;h=c48ff70d818bacfe1dff7257dec56b4867ea5f90;hb=d31db10231e9ed89f64fdf6e0fb7cae182aa377e;hp=2ab3363fbd0af4bf2b6fbc7273774e8a23916246;hpb=e76ae1ef1afb66f8be3f30725ce42d53c096cf79;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2007-02.txt b/fetchmail-SA-2007-02.txt index 2ab3363f..c48ff70d 100644 --- a/fetchmail-SA-2007-02.txt +++ b/fetchmail-SA-2007-02.txt @@ -1,21 +1,27 @@ -fetchmail-SA-2007-02: Crash when warning message is rejected +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 -Topics: Crash when fetchmail-generated warning message is rejected +fetchmail-SA-2007-02: Crash when a local warning message is rejected + +Topics: Crash when a fetchmail-generated warning message is rejected Author: Matthias Andree -Version: 1.0 -Announced: 2007-07-29 +Version: 1.1 +Announced: 2007-08-28 Type: NULL pointer dereference trigged by outside circumstances Impact: denial of service possible Danger: low +CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C) + Credits: Earl Chew -CVE Name: XXX -URL: http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt -Project URL: http://fetchmail.berlios.de/ +CVE Name: CVE-2007-4565 +URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt +Project URL: http://www.fetchmail.info/ -Affects: fetchmail release < 6.3.9 +Affects: fetchmail release < 6.3.9 exclusively -Not affected: fetchmail release 6.3.9 +Not affected: fetchmail release 6.3.9 and newer + fetchmail releases < 4.6.8 exclusively Corrected: 2007-07-29 fetchmail SVN (rev 5119) @@ -23,7 +29,8 @@ Corrected: 2007-07-29 fetchmail SVN (rev 5119) 0. Release history ================== -2007-07-29 1.0 first release +2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN) +2007-08-28 1.1 reworked, added fix, official release 1. Background @@ -41,19 +48,42 @@ control) files for fetchmail. 2. Problem description and Impact ================================= -fetchmail will generated warning messages to the local postmaster or user in -certain circumstances, for instance when authentication fails. +fetchmail will generate warning messages in certain circumstances and +send them to the local postmaster or the user starting it. Such warning +messages can be generated, for instance, if logging into an upstream +server fails repeatedly or if messages beyond the size limit (if +configured, default: no limit) are left on the server. + +If this warning message is then refused by the SMTP listener that +fetchmail is forwarding the message to, fetchmail attempts to +dereference a NULL pointer when trying to find out if it should allow a +bounce message to be sent. -If this warning message is refused by the SMTP listener that fetchmail is -talking to, fetchmail attempts to dereference a NULL pointer when trying to find -out if it should allow a bounce message to be sent. +This causes fetchmail to crash and not collect further messages until it +is restarted. + +Risk assessment: low. In default configuration, fetchmail will talk +through the loopback interface, that means to the SMTP server on the same +computer as it is running on. Otherwise, it will commonly be configured +to talk to trusted SMTP servers, so a compromise or misconfiguration of +a trusted or the same computer is required to exploit this problem - +which usually opens up much easier ways of denying service, or worse. 3. Solution =========== -Install fetchmail 6.3.9 or newer. The fetchmail source code is available from -. +There are two alternatives, either of them by itself is sufficient: + +a. Apply the patch found in section B of this announcement to fetchmail 6.3.8, + recompile and reinstall it. + +b. Install fetchmail 6.3.9 or newer when it becomes available. The + fetchmail source code is available from + . + +Note there are no workarounds presented here since all known workarounds +are more intrusive than the actual solution. A. Copyright, License and Warranty @@ -62,13 +92,46 @@ A. Copyright, License and Warranty (C) Copyright 2007 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. + +B. Patch to remedy the problem +============================== + +Index: sink.c +=================================================================== +- --- sink.c (revision 5118) ++++ sink.c (revision 5119) +@@ -262,7 +262,7 @@ + const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@"; + + /* don't bounce in reply to undeliverable bounces */ +- - if (!msg->return_path[0] || ++ if (!msg || !msg->return_path[0] || + strcmp(msg->return_path, "<>") == 0 || + strcasecmp(msg->return_path, md1) == 0 || + strncasecmp(msg->return_path, md2, strlen(md2)) == 0) + END OF fetchmail-SA-2007-02.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWWKwCfX4Ri89SzzUcXYxughs1CdnAk +Z6IAniD4DzayVUR6UxA5K1OqX1CUDOhM +=+YME +-----END PGP SIGNATURE-----