fetchmail-SA-2005-01.txt 4.75 KB
Newer Older
1 2 3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Andree's avatar
Matthias Andree committed
4 5 6 7 8
fetchmail-SA-2005-01: security announcement

Topic:		remote code injection vulnerability in fetchmail

Author:		Matthias Andree
9
Version:	1.04
Matthias Andree's avatar
Matthias Andree committed
10 11 12 13 14 15
Announced:	2005-07-21
Type:		buffer overrun/stack corruption/code injection
Impact:		account or system compromise possible through malicious
		or compromised POP3 servers
Danger:		high: in sensitive configurations, a full system
		compromise is possible
Matthias Andree's avatar
Matthias Andree committed
16 17
		(for 6.2.5.1: denial of service for the whole fetchmail
		system is possible)
Matthias Andree's avatar
Matthias Andree committed
18
CVE Name:	CVE-2005-2335
19
URL:		http://fetchmail.sourceforge.net/fetchmail-SA-2005-01.txt
Matthias Andree's avatar
Matthias Andree committed
20 21
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
		http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
Matthias Andree's avatar
Matthias Andree committed
22
		http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
Matthias Andree's avatar
Matthias Andree committed
23
		http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
Matthias Andree's avatar
Matthias Andree committed
24
		http://www.heise.de/security/news/meldung/62070
Matthias Andree's avatar
Matthias Andree committed
25 26
Thanks:		Edward J. Shornock (located the bug in UIDL code)
		Miloslav Trmac (pointed out 6.2.5.1 was faulty)
Matthias Andree's avatar
Matthias Andree committed
27
		Ludwig Nussel (provided minimal correct fix)
Matthias Andree's avatar
Matthias Andree committed
28

Matthias Andree's avatar
Matthias Andree committed
29 30 31
Affects:	fetchmail version 6.2.5.1 (denial of service)
		fetchmail version 6.2.5 (code injection)
		fetchmail version 6.2.0 (code injection)
Matthias Andree's avatar
Matthias Andree committed
32 33
		(other versions have not been checked)

Matthias Andree's avatar
Matthias Andree committed
34
Not affected:	fetchmail 6.2.5.2
35 36
		fetchmail 6.2.5.4
		fetchmail 6.3.0
Matthias Andree's avatar
Matthias Andree committed
37 38 39 40

		Older versions may not have THIS bug, but had been found
		to contain other security-relevant bugs.

Matthias Andree's avatar
Matthias Andree committed
41 42
Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
		2005-07-22                   fetchmail-patch-6.2.5.2 released
Matthias Andree's avatar
Matthias Andree committed
43
		2005-07-23                   fetchmail-6.2.5.2 tarball released
44 45
		2005-11-13                   fetchmail-6.2.5.4 tarball released
		2005-11-30                   fetchmail-6.3.0 tarball released
Matthias Andree's avatar
Matthias Andree committed
46 47 48

0. Release history

Matthias Andree's avatar
Matthias Andree committed
49 50 51 52
2005-07-20	1.00 - Initial announcement
2005-07-22	1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
		       and susceptible to denial of service through
		       single-byte read from 0 when either a Message-ID:
Matthias Andree's avatar
Matthias Andree committed
53 54 55
		       header was empty (in violation of RFC-822/2822)
		       or the UIDL response did not contain an UID (in
		       violation of RFC-1939).
Matthias Andree's avatar
Matthias Andree committed
56 57 58
		     - Add Credits.
		     - Add 6.2.5.1 failure details to sections 2 and 3
		     - Revise section 5 and B.
Matthias Andree's avatar
Matthias Andree committed
59 60 61 62
2005-07-26	1.02 - Revise section 0.
		     - Add FreeBSD VuXML URL for 6.2.5.1.
		     - Add heise security URL.
		     - Mention release of 6.2.5.2 tarball.
Matthias Andree's avatar
Matthias Andree committed
63
2005-10-27	1.03 - Update CVE Name after CVE naming change
64 65
2005-12-08	1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected"
		     - remove patch information
Matthias Andree's avatar
Matthias Andree committed
66 67 68 69 70 71 72 73 74

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

2. Problem description

Matthias Andree's avatar
Matthias Andree committed
75 76 77 78 79 80 81 82 83 84
The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack.  This affects POP3 and all of its
variants, for instance but not limited to APOP.

In fetchmail-6.2.5.1, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.
Matthias Andree's avatar
Matthias Andree committed
85 86 87

3. Impact

Matthias Andree's avatar
Matthias Andree committed
88 89 90 91 92 93 94 95 96
In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
multiple accounts.

In fetchmail-6.2.5.1, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash
fetchmail.
Matthias Andree's avatar
Matthias Andree committed
97 98 99 100 101 102 103

4. Workaround

No reasonable workaround can be offered at this time.

5. Solution

104
Upgrade your fetchmail package to version 6.3.0 or newer.
Matthias Andree's avatar
Matthias Andree committed
105

106
<http://sourceforge.net/projects/fetchmail/files/>
Matthias Andree's avatar
Matthias Andree committed
107 108 109

A. References

110
fetchmail home page: <http://fetchmail.sourceforge.net/>
Matthias Andree's avatar
Matthias Andree committed
111

Matthias Andree's avatar
Matthias Andree committed
112
B. Copyright, License and Warranty
Matthias Andree's avatar
Matthias Andree committed
113 114 115 116

(C) Copyright 2005 by Matthias Andree, <[email protected]>.
Some rights reserved.

117 118 119 120 121 122 123 124 125 126 127 128
This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA
Matthias Andree's avatar
Matthias Andree committed
129

Matthias Andree's avatar
Matthias Andree committed
130 131 132
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

Matthias Andree's avatar
Matthias Andree committed
133
END OF fetchmail-SA-2005-01.txt
134
-----BEGIN PGP SIGNATURE-----
135
Version: GnuPG v1.4.11 (GNU/Linux)
136

137 138 139
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWmcQCdGrMPh1DY+Uqi5gmRbL+uUsOd
BpQAn3pBsk4fCeMY61d2ltjcp+CXj8Bi
=WTmI
140
-----END PGP SIGNATURE-----