1 - DRAFT - XXX - DRAFT -
3 fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
5 Topics: Denial of service in debug output.
7 Author: Matthias Andree
10 Type: malloc() Buffer overrun with printable characters
11 Impact: Denial of service.
14 CVE Name: CVE-2010-XXXX
16 URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
17 Project URL: http://www.fetchmail.info/
19 Affects: fetchmail releases 4.6.3 up to and including 6.3.16
21 Not affected: fetchmail release 6.3.17 and newer
23 Corrected: 2010-04-18 Git (XXX)
29 2010-04-18 0.1 first draft (visible in SVN and through oss-security)
36 fetchmail is a software package to retrieve mail from remote POP2, POP3,
37 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
38 message delivery agents. It supports SSL and TLS security layers through
39 the OpenSSL library, if enabled at compile time and if also enabled at
43 2. Problem description and Impact
44 =================================
46 In debug mode (-v -v), fetchmail prints information that was obtained from the
47 upstream server (POP3 UIDL lists) or from message headers retrieved from it.
48 If printing such information fails, for instance because there are invalid
49 multibyte character sequences in this information (message headers), fetchmail
50 will misinterpret this condition, and believe that the buffer was too small,
51 and reallocate a bigger one (with linearly increasing buffer size), and repeat,
52 until the allocation fails. At that point, fetchmail will abort.
54 Note that the "Affects:" line above may be inaccurate, and it may be that
55 versions before 5.6.6 are actually unaffected. The author was unable to
56 compile such old fetchmail versions to verify the existence of the bug.
57 Given that other security issues are present in such versions, those should
58 not be used, and the wider version range was listed as vulnerable to err
65 There are two alternatives, either of them by itself is sufficient:
67 a. Apply the patch found in section B of this announcement to
68 fetchmail 6.3.14 or newer, recompile and reinstall it.
70 b. Install fetchmail 6.3.17 or newer after it will have become available.
71 (Note that the announcements may be publicly visible quite some time
72 before the release is made, particularly for minor bugs.)
73 The fetchmail source code is always available from
74 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
80 Run fetchmail with at most one -v (--verbose) option.
83 A. Copyright, License and Warranty
84 ==================================
86 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
89 This work is licensed under the Creative Commons
90 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
91 To view a copy of this license, visit
92 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
97 SAN FRANCISCO, CALIFORNIA 94105
101 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
102 Use the information herein at your own risk.
105 B. Patch to remedy the problem
106 ==============================
108 Note that when taking this from a GnuPG clearsigned file, the lines
109 starting with a "-" character are prefixed by another "- " (dash +
110 blank) combination. Either feed this file through GnuPG to strip them,
111 or strip them manually. You may want to use the "-p1" flag to patch.
113 Whitespace differences can usually be ignored by invoking "patch -l",
114 so try this if the patch does not apply.
116 diff --git a/rfc822.c b/rfc822.c
117 index 6f2dbf3..dbcda32 100644
120 @@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator.
123 #include "fetchmail.h"
128 @@ -74,9 +75,10 @@ char *reply_hack(
132 - if (outlevel >= O_DEBUG)
133 - report_build(stdout, GT_("About to rewrite %.*s...\n"),
134 - (int)BEFORE_EOL(buf), buf);
135 + if (outlevel >= O_DEBUG) {
136 + report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf, BEFORE_EOL(buf))));
140 /* make room to hack the address; buf must be malloced */
141 for (cp = buf; *cp; cp++)
142 @@ -211,9 +213,12 @@ char *reply_hack(
146 - if (outlevel >= O_DEBUG)
147 - report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
148 - (int)BEFORE_EOL(buf), buf);
149 + if (outlevel >= O_DEBUG) {
150 + report_complete(stdout, GT_("...rewritten version is %s.\n"),
151 + (cp = sdump(buf, BEFORE_EOL(buf))));
156 *length = strlen(buf);
158 diff --git a/uid.c b/uid.c
159 index fdc6f5d..d813bee 100644
164 #include "fetchmail.h"
169 * Machinery for handling UID lists live here. This is mainly to support
170 @@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist, const char *idfile)
173 report_build(stdout, GT_("Scratch list of UIDs:"));
174 - for (idp = scratchlist; idp; idp = idp->next)
175 - report_build(stdout, " %s", idp->id);
176 + for (idp = scratchlist; idp; idp = idp->next) {
177 + char *t = sdump(idp->id, strlen(idp->id));
178 + report_build(stdout, " %s", t);
182 report_build(stdout, GT_(" <empty>"));
183 report_complete(stdout, "\n");
184 @@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
185 report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
187 report_build(stdout, GT_("New UID list from %s:"), ctl->server.pollname);
188 - for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next)
189 - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
190 + for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp = idp->next) {
191 + char *t = sdump(idp->id, strlen(idp->id));
192 + report_build(stdout, " %s = %d", t, idp->val.status.mark);
196 report_build(stdout, GT_(" <empty>"));
197 report_complete(stdout, "\n");
198 @@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
199 /* this is now a merged list! the mails which were seen in this
200 * poll are marked here. */
201 report_build(stdout, GT_("Merged UID list from %s:"), ctl->server.pollname);
202 - for (idp = ctl->oldsaved; idp; idp = idp->next)
203 - report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
204 + for (idp = ctl->oldsaved; idp; idp = idp->next) {
205 + char *t = sdump(idp->id, strlen(idp->id));
206 + report_build(stdout, " %s = %d", t, idp->val.status.mark);
210 report_build(stdout, GT_(" <empty>"));
211 report_complete(stdout, "\n");