Topics: Crash in large log messages in verbose mode.
Author: Matthias Andree
-Version: 1.0
+Version: 1.2
Announced: 2008-06-17
-Type: Dereferencing garbage pointer trigged by outside circumstances
+Type: Dereferencing garbage pointer triggered by outside circumstances
Impact: denial of service possible
Danger: low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)
URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
Project URL: http://www.fetchmail.info/
-Affects: fetchmail release < 6.3.9 exclusively
+Affects: fetchmail release before and excluding 6.3.9
+ fetchmail release candidate 6.3.9-rc1
Not affected: fetchmail release 6.3.9 and newer
- systems without varargs (stdargs.h) support.
+ fetchmail release candidate 6.3.9-rc2 and newer
+ systems without varargs support.
-Corrected: 2008-06-13 fetchmail SVN (rev 5193)
+Corrected: 2008-06-24 fetchmail SVN (rev 5205)
References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>
<http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824>
2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN,
posted to oss-security)
2008-06-17 1.0 published on http://www.fetchmail.info/
+2008-06-17 1.1 Corrected typo in Type: above (trigged -> triggered)
+2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel)
1. Background
(C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
-
B. Patch to remedy the problem
==============================
+Note that when taking this from a GnuPG clearsigned file, the lines
+starting with a "-" character are prefixed by another "- " (dash +
+blank) combination. Either feed this file through GnuPG to strip them,
+or strip them manually.
+
+Whitespace differences can usually be ignored by invoking "patch -l",
+so try this if the patch does not apply.
+
diff --git a/report.c b/report.c
-index 31d4e48..2a731ac 100644
+index 31d4e48..320e60b 100644
- --- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
#else
for ( ; ; )
{
+@@ -304,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist)
+ rep_ensuresize();
+
+ #if defined(VA_START)
+- - VA_START (args, message);
+ for ( ; ; )
+ {
++ VA_START(args, message);
+ n = vsnprintf (partial_message + partial_message_size_used,
+ partial_message_size - partial_message_size_used,
+ message, args);
++ va_end(args);
+
+ /* old glibc versions return -1 for truncation */
+ if (n >= 0
+@@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist)
+ partial_message_size += 2048;
+ partial_message = REALLOC (partial_message, partial_message_size);
+ }
+- - va_end (args);
+ #else
+ for ( ; ; )
+ {
END OF fetchmail-SA-2008-01.txt
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.5 (GNU/Linux)
+Version: GnuPG v1.4.11 (GNU/Linux)
-iD8DBQFIV7WYvmGDOQUufZURAs7/AJ49LCd2q34puZHNe4GxcXnsOtB8DQCg7mth
-BUgZUxZxPInU60c9rNFbOm8=
-=yg6v
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVbTACeOfZU3NVlDF675SDiVqPL4uAl
+fsgAoMEqf6cpav6sDdEobMHV3UzHSOJV
+=uvVR
-----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blobdiff