X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2012-02.txt;h=e0761f49d64452ed903c6bb2cd86845eb8b8297d;hb=2199d611d9f4d4770fdd97be942d2e83bedc0569;hp=584706dad432e9460dfd11cfd0d71855081229f6;hpb=4bb8724c875163a426d7da7044b08582600367d1;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt index 584706da..e0761f49 100644 --- a/fetchmail-SA-2012-02.txt +++ b/fetchmail-SA-2012-02.txt @@ -1,15 +1,17 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode +fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication -Topics: fetchmail denial of service in NTLM protocol phase +Topics: fetchmail denial of service/data theft in NTLM protocol phase Author: Matthias Andree -Version: draft +Version: 1.0 Announced: 2012-08-13 -Type: crash while reading from bad memory location -Impact: fetchmail segfaults and aborts, stalling inbound mail +Type: reading from bad memory locations +Impact: fetchmail segfaults and aborts, stalling inbound mail, + or: fetchmail conveys data from bad locations, possibly + betraying confidential data Danger: low Acknowledgment: J. Porter Clark @@ -26,14 +28,13 @@ Not affected: - fetchmail releases compiled with NTLM support disabled Corrected in: 2012-08-13 Git, among others, see commit 3fbc7cd331602c76f882d1b507cd05c1d824ba8b - 2012-08-xx fetchmail 6.3.22 release tarball + 2012-08-29 fetchmail 6.3.22 release tarball 0. Release history ================== -2012-08-13 0.1 draft -2012-08-14 0.2 added CVE ID +2012-08-29 1.0 release 1. Background @@ -53,12 +54,16 @@ regular protocol ports. Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM authentication request, but never checked if the received response was -NTLM protocol exchange, or a server-side error message. Instead, -fetchmail tried to decode the error message as though it were -base64-encoded protocol exchange, and could then segfault, subject to -verbosity and other circumstances, while reading data from bad memory -locations. +an NTLM challenge, or a server-side error message. Instead, fetchmail +tried to decode the error message as though it were base64-encoded +protocol exchange, and could then segfault, subject to verbosity and +other circumstances, while reading data from bad memory locations. +Also, when the "Target Name" structure in the NTLM Type 2 message (the +challenge) was carefully crafted, fetchmail might read from the wrong +memory location, and send confidential data to the server that it should +not have. It is deemed hard, although not impossible, to steal +other accounts' data. 3. Solution =========== @@ -106,7 +111,7 @@ END of fetchmail-SA-2012-02 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) -iEYEARECAAYFAlAp5g0ACgkQvmGDOQUufZXtLwCg54tPXJZAXauGxJ77oRGox49g -WUIAnizjQ4AvBSzk3Oraqv+WCS+8wiMb -=NEZ4 +iEYEARECAAYFAlA+n3kACgkQvmGDOQUufZWzKwCfcOJF35eJ/bOio0VRfFFOiBsq +dNwAnicBBiqQOq9i7atwBr4gdZ5x+SUM +=+hqO -----END PGP SIGNATURE-----