-fetchmail-SA-2007-02: Crash when local warning message is rejected
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
-Topics: Crash when fetchmail-generated warning message is rejected
+fetchmail-SA-2007-02: Crash when a local warning message is rejected
+
+Topics: Crash when a fetchmail-generated warning message is rejected
Author: Matthias Andree
-Version: 1.0
-Announced: 2007-07-29
+Version: 1.1
+Announced: 2007-08-28
Type: NULL pointer dereference trigged by outside circumstances
Impact: denial of service possible
Danger: low
+CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
+
Credits: Earl Chew
CVE Name: CVE-2007-4565
-URL: http://fetchmail.berlios.de/fetchmail-SA-2007-02.txt
-Project URL: http://fetchmail.berlios.de/
+URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
+Project URL: http://www.fetchmail.info/
-Affects: fetchmail release < 6.3.9
+Affects: fetchmail release < 6.3.9 exclusively
-Not affected: fetchmail release 6.3.9 (not yet available)
+Not affected: fetchmail release 6.3.9 and newer
+ fetchmail releases < 4.6.8 exclusively
Corrected: 2007-07-29 fetchmail SVN (rev 5119)
==================
2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN)
+2007-08-28 1.1 reworked, added fix, official release
1. Background
2. Problem description and Impact
=================================
-fetchmail will generated warning messages to the local postmaster or user in
-certain circumstances, for instance when authentication fails.
+fetchmail will generate warning messages in certain circumstances and
+send them to the local postmaster or the user starting it. Such warning
+messages can be generated, for instance, if logging into an upstream
+server fails repeatedly or if messages beyond the size limit (if
+configured, default: no limit) are left on the server.
+
+If this warning message is then refused by the SMTP listener that
+fetchmail is forwarding the message to, fetchmail attempts to
+dereference a NULL pointer when trying to find out if it should allow a
+bounce message to be sent.
-If this warning message is refused by the SMTP listener that fetchmail is
-talking to, fetchmail attempts to dereference a NULL pointer when trying to find
-out if it should allow a bounce message to be sent.
+This causes fetchmail to crash and not collect further messages until it
+is restarted.
+
+Risk assessment: low. In default configuration, fetchmail will talk
+through the loopback interface, that means to the SMTP server on the same
+computer as it is running on. Otherwise, it will commonly be configured
+to talk to trusted SMTP servers, so a compromise or misconfiguration of
+a trusted or the same computer is required to exploit this problem -
+which usually opens up much easier ways of denying service, or worse.
3. Solution
===========
-Install fetchmail 6.3.9 or newer. The fetchmail source code is available from
-<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+There are two alternatives, either of them by itself is sufficient:
+
+a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
+ recompile and reinstall it.
+
+b. Install fetchmail 6.3.9 or newer when it becomes available. The
+ fetchmail source code is available from
+ <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+Note there are no workarounds presented here since all known workarounds
+are more intrusive than the actual solution.
A. Copyright, License and Warranty
(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
+
+B. Patch to remedy the problem
+==============================
+
+Index: sink.c
+===================================================================
+- --- sink.c (revision 5118)
++++ sink.c (revision 5119)
+@@ -262,7 +262,7 @@
+ const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
+
+ /* don't bounce in reply to undeliverable bounces */
+- - if (!msg->return_path[0] ||
++ if (!msg || !msg->return_path[0] ||
+ strcmp(msg->return_path, "<>") == 0 ||
+ strcasecmp(msg->return_path, md1) == 0 ||
+ strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
+
END OF fetchmail-SA-2007-02.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWWKwCfX4Ri89SzzUcXYxughs1CdnAk
+Z6IAniD4DzayVUR6UxA5K1OqX1CUDOhM
+=+YME
+-----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blobdiff