X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2010-01.txt;h=0d75e88a72ccd330161fda99ba18fbe28b34f967;hb=b3e0cd2d558b5ccf06c816eed38c883d7462d3d4;hp=7abc2211135c427fec66a461dca8569e30af7238;hpb=5f8cc0929852df239b10d96ddff599fe4c543519;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt index 7abc2211..0d75e88a 100644 --- a/fetchmail-SA-2010-01.txt +++ b/fetchmail-SA-2010-01.txt @@ -1,16 +1,19 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display. Topics: Heap overrun in verbose SSL certificate information display. Author: Matthias Andree Version: 1.0 -Announced: +Announced: 2010-02-05 Type: malloc() Buffer overrun with printable characters Impact: Code injection (difficult). Danger: low -CVSSv2 vectors: -CVE Name: +CVE Name: CVE-2010-0562 +CVSSv2: (AV:N/AC:H/Au:N/C:N/I:C/A:P/E:U/RL:O/RC:C) proposed URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt Project URL: http://www.fetchmail.info/ @@ -19,12 +22,16 @@ Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13 Not affected: fetchmail release 6.3.14 and newer Corrected: 2010-02-04 fetchmail SVN (r5467) + Git (f1c7607615ebd48807db6170937fe79bb89d47d4) + 2010-02-05 fetchmail release 6.3.14 0. Release history ================== -2010-02-04 0.1 first draft (visible in SVN) +2010-02-04 0.1 first draft (visible in SVN and through oss-security) +2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde) +2010-02-09 1.1 added CVE/CVSS, Announced: date 1. Background @@ -50,14 +57,14 @@ buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex. This might be exploitable to inject code if -- fetchmail is run in verbose mode +- - fetchmail is run in verbose mode AND -- the host running fetchmail considers char signed +- - the host running fetchmail considers char signed AND -- the server uses malicious certificates with non-printing characters +- - the server uses malicious certificates with non-printing characters that have the high bit set AND -- these certificates manage to inject shell-code that consists purely of +- - these certificates manage to inject shell-code that consists purely of printable characters. It is believed to be difficult to achieve all this. @@ -88,15 +95,17 @@ A. Copyright, License and Warranty (C) Copyright 2010 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-Noncommercial-No Derivative Works 3.0 Germany License. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + To view a copy of this license, visit -http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: Creative Commons -171 Second Street -Suite 300 -SAN FRANCISCO, CALIFORNIA 94105 +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 USA @@ -115,16 +124,23 @@ or strip them manually. You may want to use the "-p1" flag to patch. Whitespace differences can usually be ignored by invoking "patch -l", so try this if the patch does not apply. ---- a/sdump.c +- --- a/sdump.c +++ b/sdump.c @@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len) if (isprint((unsigned char)in[i])) { *(oi++) = in[i]; } else { -- oi += sprintf(oi, "\\x%02X", in[i]); +- - oi += sprintf(oi, "\\x%02X", in[i]); + oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]); } } *oi = '\0'; END OF fetchmail-SA-2010-01.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZX0pACg7jUxqFQzdhdVDXk/izXBNkfg +ZBgAnAhDK4mYPoCzoiaJhEHM6rET4W+v +=AX1N +-----END PGP SIGNATURE-----