1 fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode
3 Topics: fetchmail denial of service in NTLM protocol phase
5 Author: Matthias Andree
8 Type: crash while reading from bad memory location
9 Impact: fetchmail segfaults and aborts, stalling inbound mail
11 Acknowledgment: J. Porter Clark
14 URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
15 Project URL: http://www.fetchmail.info/
17 Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
18 when compiled with NTLM support enabled
20 Not affected: - fetchmail releases compiled with NTLM support disabled
21 - fetchmail releases 6.3.22 and newer
23 Corrected in: 2012-08-13 Git, among others, see commit
24 3fbc7cd331602c76f882d1b507cd05c1d824ba8b
26 2012-08-xx fetchmail 6.3.22 release tarball
38 fetchmail is a software package to retrieve mail from remote POP3, IMAP,
39 ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
40 message delivery agents. fetchmail supports SSL and TLS security layers
41 through the OpenSSL library, if enabled at compile time and if also
42 enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
43 well as in-band-negotiated "STARTTLS" and "STLS" modes through the
44 regular protocol ports.
47 2. Problem description and Impact
48 =================================
50 Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
51 authentication request, but never checked if the received response was
52 NTLM protocol exchange, or a server-side error message. Instead,
53 fetchmail tried to decode the error message as though it were
54 base64-encoded protocol exchange, and could then segfault, subject to
55 verbosity and other circumstances, while reading data from bad memory
62 Install fetchmail 6.3.22 or newer.
64 The fetchmail source code is always available from
65 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
67 Distributors are encouraged to review the NEWS file and move forward to
68 6.3.22, rather than backport individual security fixes, because doing so
69 routinely misses other fixes crucial to fetchmail's proper operation,
70 for which no security announcements are issued, or documentation.
72 Fetchmail 6.3.X releases have always been made with a focus on unchanged
73 user and program interfaces so as to avoid disruptions when upgrading
74 from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
75 interface incompatibly.
78 A. Copyright, License and Non-Warranty
79 ======================================
81 (C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
84 This work is licensed under the
85 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
87 To view a copy of this license, visit
88 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
94 MOUNTAIN VIEW, CALIFORNIA 94041
98 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
99 Use the information herein at your own risk.
101 END of fetchmail-SA-2012-02