1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
6 Topics: Denial of service in debug output
8 Author: Matthias Andree
11 Type: Unbounded allocation of memory until exhaustion
12 Impact: Denial of service
15 CVE Name: CVE-2010-1167
16 CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C)
17 CVSS scores: 3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2
18 This is calculated without Environmental Score.
19 URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
20 Project URL: http://www.fetchmail.info/
22 Affects: fetchmail releases 4.6.3 up to and including 6.3.16
24 Not affected: fetchmail release 6.3.17 and newer
26 Corrected: 2010-04-24 Git, required commits:
27 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3
28 ec06293134b85876f9201d8a52b844c41581b2b3
30 2010-04-30 fetchmail 6.3.17-pre1 tarball
32 2010-05-06 fetchmail 6.3.17 release tarball
38 2010-04-18 0.1 first draft (visible in SVN and through oss-security)
39 2010-04-19 0.2 add note announcements may appear before releases
40 2010-04-20 0.3 add CVE name, fix Type:
41 2010-04-24 0.4 revise patch
42 2010-04-29 0.5 add info on contributing/mitigating factors
43 2010-05-06 1.0 complete
49 fetchmail is a software package to retrieve mail from remote POP2, POP3,
50 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
51 message delivery agents. It supports SSL and TLS security layers through
52 the OpenSSL library, if enabled at compile time and if also enabled at
56 2. Problem description and Impact
57 =================================
59 In debug mode (-v -v), fetchmail prints information that was obtained from the
60 upstream server (POP3 UIDL lists) or from message headers retrieved from it.
61 If printing such information fails, for instance because there are invalid
62 multibyte character sequences in this information (message headers), fetchmail
63 will misinterpret this condition, and believe that the buffer was too small,
64 and reallocate a bigger one (with linearly increasing buffer size), and repeat,
65 until the allocation fails. At that point, fetchmail will abort.
67 The exact combination of contributing and mitigating factors is not
68 fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when
69 printing invalid sequences through a %.*s format string in multibyte
70 locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not.
71 However, the issue is a genuine fetchmail bug that deserves a fix.
73 Note that the "Affects:" line above may be inaccurate, and it may be that
74 versions before 5.6.6 are actually unaffected. The author was unable to
75 compile such old fetchmail versions to verify the existence of the bug.
76 Given that other security issues are present in such versions, those should
77 not be used, and the wider version range was listed as vulnerable to err
84 There are two alternatives, either of them by itself is sufficient:
86 a. Apply the patch found in section B of this announcement to
87 fetchmail 6.3.14 or newer, recompile and reinstall it.
89 b. Install fetchmail 6.3.17 or newer after it will have become available.
90 (Note that the announcements may be publicly visible quite some time
91 before the release is made, particularly for minor bugs.)
92 The fetchmail source code is always available from
93 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
99 Run fetchmail with at most one -v (--verbose) option.
102 A. Copyright, License and Warranty
103 ==================================
105 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
106 Some rights reserved.
108 This work is licensed under the
109 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
111 To view a copy of this license, visit
112 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
118 MOUNTAIN VIEW, CALIFORNIA 94041
122 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
123 Use the information herein at your own risk.
126 B. Patch to remedy the problem
127 ==============================
129 Note that when taking this from a GnuPG clearsigned file, the lines
130 starting with a "-" character are prefixed by another "- " (dash +
131 blank) combination. Either feed this file through GnuPG to strip them,
132 or strip them manually. You may want to use the "-p1" flag to patch.
134 Whitespace differences can usually be ignored by invoking "patch -l",
135 so try this if the patch does not apply.
137 diff --git a/rfc822.c b/rfc822.c
138 index 6f2dbf3..dbcda32 100644
141 @@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
144 #include "fetchmail.h"
149 @@ -74,9 +75,10 @@ char *reply_hack(
153 - - if (outlevel >= O_DEBUG)
154 - - report_build(stdout, GT_("About to rewrite %.*s...\n"),
155 - - (int)BEFORE_EOL(buf), buf);
156 + if (outlevel >= O_DEBUG) {
157 + report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
161 /* make room to hack the address; buf must be malloced */
162 for (cp = buf; *cp; cp++)
163 @@ -211,9 +213,12 @@ char *reply_hack(
167 - - if (outlevel >= O_DEBUG)
168 - - report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
169 - - (int)BEFORE_EOL(buf), buf);
170 + if (outlevel >= O_DEBUG) {
171 + report_complete(stdout, GT_("...rewritten version is %s.\n"),
172 + (cp = sdump(buf, BEFORE_EOL(buf))));
177 *length = strlen(buf);
179 diff --git a/uid.c b/uid.c
180 index fdc6f5d..9a62ee2 100644
185 #include "fetchmail.h"
190 * Machinery for handling UID lists live here. This is mainly to support
191 @@ -249,8 +250,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
193 report_build(stdout, GT_("Old UID list from %s:"),
194 ctl->server.pollname);
195 - - for (idp = ctl->oldsaved; idp; idp = idp->next)
196 - - report_build(stdout, " %s", idp->id);
197 + for (idp = ctl->oldsaved; idp; idp = idp->next) {
198 + char *t = sdump(idp->id, strlen(idp->id));
199 + report_build(stdout, " %s", t);
203 report_build(stdout, GT_(" <empty>"));
204 report_complete(stdout, "\n");
205 @@ -260,8 +264,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
208 report_build(stdout, GT_("Scratch list of UIDs:"));
209 - - for (idp = scratchlist; idp; idp = idp->next)
210 - - report_build(stdout, " %s", idp->id);
211 + for (idp = scratchlist; idp; idp = idp->next) {
212 + char *t = sdump(idp->id, strlen(idp->id));
213 + report_build(stdout, " %s", t);
217 report_build(stdout, GT_(" <empty>"));
218 report_complete(stdout, "\n");
219 @@ -517,8 +524,11 @@ void uid_swap_lists(struct query *ctl)
220 report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
222 report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
223 - - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
224 - - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
225 + for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
226 + char *t = sdump(idp->id, strlen(idp->id));
227 + report_build(stdout, " %s = %d", t, idp->val.status.mark);
231 report_build(stdout, GT_(" <empty>"));
232 report_complete(stdout, "\n");
233 @@ -567,8 +577,11 @@ void uid_discard_new_list(struct query *ctl)
234 /* this is now a merged list! the mails which were seen in this
235 * poll are marked here. */
236 report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
237 - - for (idp = ctl->oldsaved; idp; idp = idp->next)
238 - - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
239 + for (idp = ctl->oldsaved; idp; idp = idp->next) {
240 + char *t = sdump(idp->id, strlen(idp->id));
241 + report_build(stdout, " %s = %d", t, idp->val.status.mark);
245 report_build(stdout, GT_(" <empty>"));
246 report_complete(stdout, "\n");
247 -----BEGIN PGP SIGNATURE-----
248 Version: GnuPG v1.4.11 (GNU/Linux)
250 iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVpfQCcD3U6m1MbJOFZV4FgI7e042vF
251 HcEAn0j6ZFwp9dh2G7PJSkN9CM0XazyJ
253 -----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blob