Topic: remote code injection vulnerability in fetchmail
Author: Matthias Andree
-Version: 1.00
+Version: 1.01
Announced: 2005-07-21
Type: buffer overrun/stack corruption/code injection
Impact: account or system compromise possible through malicious
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
+Thanks: Edward J. Shornock (located the bug in UIDL code)
+ Miloslav Trmac (pointed out 6.2.5.1 was faulty)
+ Ludwig Nussel (provided minimal fix)
-Affects: fetchmail version 6.2.5
- fetchmail version 6.2.0
+Affects: fetchmail version 6.2.5.1 (denial of service)
+ fetchmail version 6.2.5 (code injection)
+ fetchmail version 6.2.0 (code injection)
(other versions have not been checked)
-Not affected: fetchmail 6.2.5.1
- fetchmail 6.2.6-pre5 (not released yet)
+Not affected: fetchmail 6.2.5.2
+ fetchmail 6.2.6-pre6
fetchmail 6.3.0 (not released yet)
Older versions may not have THIS bug, but had been found
to contain other security-relevant bugs.
-Corrected: 2005-07-20 15:22 UTC (SVN) - committed bugfix (r4143)
- 2005-07-20 fetchmail-patch-6.2.5.1 released
+Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
+ 2005-07-22 fetchmail-patch-6.2.5.2 released
0. Release history
-2005-07-20 1.00 initial announcement
+2005-07-20 1.00 - Initial announcement
+2005-07-22 1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
+ and susceptible to denial of service through
+ single-byte read from 0 when either a Message-ID:
+ header was empty or the UIDL response did not
+ contain an URL.
+ - Add Credits.
+ - Add 6.2.5.1 failure details to sections 2 and 3
+ - Revise section 5 and B.
1. Background
2. Problem description
-The POP3 code that deals with UIDs (from the UIDL) reads the responses
-returned by the POP3 server into fixed-size buffers allocated on the
-stack, without limiting the input length to the buffer size. A
-compromised or malicious POP3 server can thus overrun fetchmail's stack.
-This affects POP3 and all of its variants, for instance but not limited
-to APOP.
+The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
+the UIDL) reads the responses returned by the POP3 server into
+fixed-size buffers allocated on the stack, without limiting the input
+length to the buffer size. A compromised or malicious POP3 server can
+thus overrun fetchmail's stack. This affects POP3 and all of its
+variants, for instance but not limited to APOP.
+
+In fetchmail-6.2.5.1, the attempted fix prevented code injection via
+POP3 UIDL, but introduced two possible NULL dereferences that can be
+exploited to mount a denial of service attack.
3. Impact
-Very long UIDs can cause fetchmail to crash, or potentially make it
-execute code placed on the stack. In some configurations, fetchmail
-is run by the root user to download mail for multiple accounts.
+In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
+crash, or potentially make it execute code placed on the stack. In some
+configurations, fetchmail is run by the root user to download mail for
+multiple accounts.
+
+In fetchmail-6.2.5.1, a server that responds with UID lines containing
+only the article number but no UID (in violation of RFC-1939), or a
+message without Message-ID when no UIDL support is available, can crash
+fetchmail.
4. Workaround
5. Solution
-Upgrade your fetchmail package to version 6.2.5.1.
+Upgrade your fetchmail package to version 6.2.5.2.
+
This requires the download of the fetchmail-6.2.5.tar.gz tarball and the
-fetchmail-patch-6.2.5.1.gz from BerliOS:
+fetchmail-patch-6.2.5.2.gz from BerliOS:
<http://developer.berlios.de/project/showfiles.php?group_id=1824>
-Note that the files may be hidden from view later as new releases become
-available.
+To use the patch:
-Instructions for patching are given at
-<http://developer.berlios.de/forum/forum.php?forum_id=13104>
+ 1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
+ had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
+ 2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
+ 3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
+ 4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
+ 5. now configure and build as usual - detailed instructions in the file
+ named "INSTALL".
A. References
fetchmail home page: <http://fetchmail.berlios.de/>
-B. Copyright and License
+B. Copyright, License and Warranty
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
END OF fetchmail-SA-2005-01.txt
projects / ~andy / fetchmail / commitdiff