1 fetchmail-SA-2005-02: security announcement
3 Topic: password exposure in fetchmailconf
5 Author: Matthias Andree
8 Type: insecure creation of file
9 Impact: passwords are written to a world-readable file
10 Danger: low: the time window during which the passwords are
12 CVE Name: CAN-2005-3088
13 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
15 Affects: fetchmail version 6.2.5.2
16 fetchmail version 6.2.5
17 fetchmail version 6.2.0
18 fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2)
19 (other versions have not been checked but are presumed
22 Not affected: fetchmail 6.2.9-rc6 (XX not released yet)
23 fetchmail 6.3.0 (not released yet)
26 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
27 2005-09-28 - released fetchmailconf-1.43.1
28 XX (add date of 6.2.9-rc6 release here)
32 2005-XX-XX 1.00 - Initial announcement
36 fetchmail is a software package to retrieve mail from remote POP2, POP3,
37 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
38 message delivery agents.
40 fetchmail ships with a graphical, Python/Tkinter based configuration
41 utility named "fetchmailconf" to help the user create configuration (run
42 control) files for fetchmail.
44 2. Problem description and Impact
46 The fetchmailconf program before and excluding version 1.49 opened the
47 run control file, wrote the configuration to it, and only then changed
48 the mode to 0600 (rw-------). Writing the file, which usually contains
49 passwords, before making it unreadable to other users, can expose
50 sensitive password information.
54 Run "umask 077", then run "fetchmailconf" from the same shell.
58 Download fetchmailconf-1.43.1.gz from fetchmail's project site
59 <http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
60 gunzip it, then replace your existing fetchmailconf with it.
62 Alternatively, apply this patch (you need to save this announcement
63 unaltered to a file unless you are sure that your system preserves HTAB
64 characters on copy and paste operations) to fetchmailconf and install
65 the patched version: (the patch, with modified version number and in
66 unified format, is also available from the URL above).
68 *** ./fetchmailconf.orig Wed Sep 28 03:28:58 2005
69 --- ./fetchmailconf Wed Sep 28 03:33:11 2005
73 fm = open(self.outfile, 'w')
75 fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
76 fm.write(`self.configuration`)
79 - if fm != sys.stdout:
80 - os.chmod(self.outfile, 0600)
86 fm = open(self.outfile, 'w')
88 + if fm != sys.stdout:
89 + os.chmod(self.outfile, 0600)
90 fm.write("# Configuration created %s by fetchmailconf\n" % time.ctime(time.time()))
91 fm.write(`self.configuration`)
100 fetchmail home page: <http://fetchmail.berlios.de/>
102 B. Copyright, License and Warranty
104 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
105 Some rights reserved.
107 This work is licensed under the Creative Commons
108 Attribution-NonCommercial-NoDerivs German License. To view a copy of
109 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
110 or send a letter to Creative Commons; 559 Nathan Abbott Way;
111 Stanford, California 94305; USA.
113 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
114 Use the information herein at your own risk.
116 END OF fetchmail-SA-2005-02.txt