1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2008-01: Crash on large log messages in verbose mode
6 Topics: Crash in large log messages in verbose mode.
8 Author: Matthias Andree
11 Type: Dereferencing garbage pointer trigged by outside circumstances
12 Impact: denial of service possible
14 CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)
16 Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
17 CVE Name: CVE-2008-2711
18 URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
19 Project URL: http://www.fetchmail.info/
21 Affects: fetchmail release < 6.3.9 exclusively
23 Not affected: fetchmail release 6.3.9 and newer
24 systems without varargs (stdargs.h) support.
26 Corrected: 2008-06-13 fetchmail SVN (rev 5193)
28 References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>
29 <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
35 2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN,
36 posted to oss-security)
37 2008-06-17 1.0 published on http://www.fetchmail.info/
43 fetchmail is a software package to retrieve mail from remote POP2, POP3,
44 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
45 message delivery agents.
47 fetchmail ships with a graphical, Python/Tkinter based configuration
48 utility named "fetchmailconf" to help the user create configuration (run
49 control) files for fetchmail.
52 2. Problem description and Impact
53 =================================
55 Gunter Nau reported fetchmail crashing on some messages; further
56 debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
57 dug up that this happened when fetchmail was trying to print, in -v -v
58 verbose level, headers exceeding 2048 bytes. In this situation,
59 fetchmail would resize the buffer and fill in further parts of the
60 message, but forget to reinitialize its va_list typed source pointer,
61 thus reading data from a garbage address found on the stack at
62 addresses above the function arguments the caller passed in; usually
63 that would be the caller's stack frame.
65 It is unknown whether code can be injected remotely, but given that
66 the segmentation fault is caused by read accesses, the relevant data
67 is not under the remote attacker's control and no buffer overrun
68 situation is present that would allow altering program /flow/, it is
69 deemed rather unlikely that code can be injected.
71 Note that the required -vv configuration at hand is both non-default
72 and also not common in automated (cron job) setups, but usually used
73 in manual debugging, so not many systems would be affected by the
74 problem. Nonetheless, in vulnerable configurations, it is remotely
75 exploitable to effect a denial of service attack.
82 There are two alternatives, either of them by itself is sufficient:
84 a. Apply the patch found in section B of this announcement to
85 fetchmail 6.3.8, recompile and reinstall it.
87 b. Install fetchmail 6.3.9 or newer after it will have become available.
88 The fetchmail source code is always available from
89 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
95 Run fetchmail at low verbosity, avoid using two or three -v arguments;
96 internal messages are short and do not contain external message
97 sources so they do not cause buffer resizing. It is recommended to
98 replace the vulnerable code by a fixed version (see previous
99 section 3. Solution) as soon as reasonably possible.
102 A. Copyright, License and Warranty
103 ==================================
105 (C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
106 Some rights reserved.
108 This work is licensed under the Creative Commons
109 Attribution-NonCommercial-NoDerivs German License. To view a copy of
110 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
111 or send a letter to Creative Commons; 559 Nathan Abbott Way;
112 Stanford, California 94305; USA.
114 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
115 Use the information herein at your own risk.
119 B. Patch to remedy the problem
120 ==============================
122 diff --git a/report.c b/report.c
123 index 31d4e48..2a731ac 100644
126 @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
129 #if defined(VA_START)
130 - - VA_START (args, message);
134 + * args has to be initialized before every call of vsnprintf(),
135 + * because vsnprintf() invokes va_arg macro and thus args is
136 + * undefined after the call.
138 + VA_START(args, message);
139 n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
144 && (unsigned)n < partial_message_size - partial_message_size_used)
145 @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
146 partial_message_size += 2048;
147 partial_message = REALLOC (partial_message, partial_message_size);
154 END OF fetchmail-SA-2008-01.txt
155 -----BEGIN PGP SIGNATURE-----
156 Version: GnuPG v1.4.5 (GNU/Linux)
158 iD8DBQFIV7WYvmGDOQUufZURAs7/AJ49LCd2q34puZHNe4GxcXnsOtB8DQCg7mth
159 BUgZUxZxPInU60c9rNFbOm8=
161 -----END PGP SIGNATURE-----