1 fetchmail-SA-2008-01: Crash on large log messages in verbose mode
3 Topics: Crash in large log messages in verbose mode.
5 Author: Matthias Andree
8 Type: Dereferencing garbage pointer trigged by outside circumstances
9 Impact: denial of service possible
11 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)
13 Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
15 URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
16 Project URL: http://www.fetchmail.info/
18 Affects: fetchmail release < 6.3.9 exclusively
20 Not affected: fetchmail release 6.3.9 and newer
21 systems without varargs (stdargs.h) support.
23 Corrected: 2008-06-13 fetchmail SVN (rev XXX)
25 References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>
26 <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
31 2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN)
37 fetchmail is a software package to retrieve mail from remote POP2, POP3,
38 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
39 message delivery agents.
41 fetchmail ships with a graphical, Python/Tkinter based configuration
42 utility named "fetchmailconf" to help the user create configuration (run
43 control) files for fetchmail.
46 2. Problem description and Impact
47 =================================
49 Gunter Nau reported fetchmail crashing on some messages; further
50 debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
51 dug up that this happened when fetchmail was trying to print, in -v -v
52 verbose level, headers exceeding 2048 bytes. In this situation,
53 fetchmail would resize the buffer and fill in further parts of the
54 message, but forget to reinitialize its va_list typed source pointer,
55 thus reading data from a garbage address found on the stack at
56 addresses above the function arguments the caller passed in; usually
57 that would be the caller's stack frame.
59 It is unknown whether code can be injected remotely, but given that
60 the segmentation fault is caused by read accesses, the relevant data
61 is not under the remote attacker's control and no buffer overrun
62 situation is present that would allow altering program /flow/, it is
63 deemed rather unlikely that code can be injected.
65 Note that the required -vv configuration at hand is both non-default
66 and also not common in automated (cron job) setups, but usually used
67 in manual debugging, so not many systems would be affected by the
68 problem. Nonetheless, in vulnerable configurations, it is remotely
69 exploitable to effect a denial of service attack.
76 There are two alternatives, either of them by itself is sufficient:
78 a. Apply the patch found in section B of this announcement to
79 fetchmail 6.3.8, recompile and reinstall it.
81 b. Install fetchmail 6.3.9 or newer after it will have become available.
82 The fetchmail source code is always available from
83 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
89 Run fetchmail at low verbosity, avoid using two or three -v arguments;
90 internal messages are short and do not contain external message
91 sources so they do not cause buffer resizing. It is recommended to
92 replace the vulnerable code by a fixed version (see previous
93 section 3. Solution) as soon as reasonably possible.
96 A. Copyright, License and Warranty
97 ==================================
99 (C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
100 Some rights reserved.
102 This work is licensed under the Creative Commons
103 Attribution-NonCommercial-NoDerivs German License. To view a copy of
104 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
105 or send a letter to Creative Commons; 559 Nathan Abbott Way;
106 Stanford, California 94305; USA.
108 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
109 Use the information herein at your own risk.
113 B. Patch to remedy the problem
114 ==============================
116 diff --git a/report.c b/report.c
117 index 31d4e48..2a731ac 100644
120 @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
123 #if defined(VA_START)
124 - VA_START (args, message);
128 + * args has to be initialized before every call of vsnprintf(),
129 + * because vsnprintf() invokes va_arg macro and thus args is
130 + * undefined after the call.
132 + VA_START(args, message);
133 n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
138 && (unsigned)n < partial_message_size - partial_message_size_used)
139 @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
140 partial_message_size += 2048;
141 partial_message = REALLOC (partial_message, partial_message_size);
148 END OF fetchmail-SA-2008-01.txt