1 fetchmail-SA-2007-02: Crash when a local warning message is rejected
3 Topics: Crash when a fetchmail-generated warning message is rejected
5 Author: Matthias Andree
8 Type: NULL pointer dereference trigged by outside circumstances
9 Impact: denial of service possible
11 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
14 CVE Name: CVE-2007-4565
15 URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
16 Project URL: http://www.fetchmail.info/
18 Affects: fetchmail release < 6.3.9 exclusively
20 Not affected: fetchmail release 6.3.9 and newer
21 fetchmail releases < 4.6.8 exclusively
23 Corrected: 2007-07-29 fetchmail SVN (rev 5119)
29 2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN)
30 2007-08-28 1.1 reworked, added fix, official release
36 fetchmail is a software package to retrieve mail from remote POP2, POP3,
37 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
38 message delivery agents.
40 fetchmail ships with a graphical, Python/Tkinter based configuration
41 utility named "fetchmailconf" to help the user create configuration (run
42 control) files for fetchmail.
45 2. Problem description and Impact
46 =================================
48 fetchmail will generate warning messages in certain circumstances and
49 send them to the local postmaster or the user starting it. Such warning
50 messages can be generated, for instance, if logging into an upstream
51 server fails repeatedly or if messages beyond the size limit (if
52 configured, default: no limit) are left on the server.
54 If this warning message is then refused by the SMTP listener that
55 fetchmail is forwarding the message to, fetchmail attempts to
56 dereference a NULL pointer when trying to find out if it should allow a
57 bounce message to be sent.
59 This causes fetchmail to crash and not collect further messages until it
62 Risk assessment: low. In default configuration, fetchmail will talk
63 through the loopback interface, that means to the SMTP server on the same
64 computer as it is running on. Otherwise, it will commonly be configured
65 to talk to trusted SMTP servers, so a compromise or misconfiguration of
66 a trusted or the same computer is required to exploit this problem -
67 which usually opens up much easier ways of denying service, or worse.
73 There are two alternatives, either of them by itself is sufficient:
75 a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
76 recompile and reinstall it.
78 b. Install fetchmail 6.3.9 or newer when it becomes available. The
79 fetchmail source code is available from
80 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
82 Note there are no workarounds presented here since all known workarounds
83 are more intrusive than the actual solution.
86 A. Copyright, License and Warranty
87 ==================================
89 (C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
92 This work is licensed under the Creative Commons
93 Attribution-NonCommercial-NoDerivs German License. To view a copy of
94 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
95 or send a letter to Creative Commons; 559 Nathan Abbott Way;
96 Stanford, California 94305; USA.
98 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
99 Use the information herein at your own risk.
103 B. Patch to remedy the problem
104 ==============================
107 ===================================================================
108 --- sink.c (revision 5118)
109 +++ sink.c (revision 5119)
111 const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
113 /* don't bounce in reply to undeliverable bounces */
114 - if (!msg->return_path[0] ||
115 + if (!msg || !msg->return_path[0] ||
116 strcmp(msg->return_path, "<>") == 0 ||
117 strcasecmp(msg->return_path, md1) == 0 ||
118 strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
120 END OF fetchmail-SA-2007-02.txt