Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 110366 - net-mail/fetchmail password exposure in fetchmailconf
Summary: net-mail/fetchmail password exposure in fetchmailconf
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://fetchmail.berlios.de/fetchmail...
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-24 12:41 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-11-06 10:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-24 12:41:50 UTC
fetchmail-SA-2005-02: security announcement 
 
Topic:		password exposure in fetchmailconf 
 
Author:		Matthias Andree 
Version:	1.01 
Announced:	2005-10-21 
Type:		insecure creation of file 
Impact:		passwords are written to a world-readable file 
Danger:		medium 
Credits:	Thomas Wolff, Miloslav Trmac for pointing out 
		that fetchmailconf 1.43.1 was also flawed 
CVE Name:	CAN-2005-3088 
URL:		http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt 
 
Affects:	fetchmail version 6.2.5.2 
		fetchmail version 6.2.5 
		fetchmail version 6.2.0 
		fetchmailconf 1.43   (shipped with 6.2.0, 6.2.5 and 6.2.5.2) 
		fetchmailconf 1.43.1 (shipped separately, now withdrawn) 
		(other versions have not been checked but are presumed 
affected) 
 
Not affected:	fetchmail 6.2.9-rc6 
		fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) 
		fetchmailconf 1.49   (shipped with 6.2.9-rc6) 
		fetchmail 6.3.0      (not released yet) 
 
Corrected:	2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) 
		2005-10-21                 - released fetchmailconf-1.43.2 
		2005-10-21                 - released fetchmail 6.2.9-rc6 
 
0. Release history 
================== 
 
2005-10-21	1.00 (shipped with -rc6) 
2005-10-21	1.01 (marked 1.43.1 vulnerable, revised section 4, 
		      added Credits) 
 
1. Background 
============= 
 
fetchmail is a software package to retrieve mail from remote POP2, POP3, 
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or 
message delivery agents. 
 
fetchmail ships with a graphical, Python/Tkinter based configuration 
utility named "fetchmailconf" to help the user create configuration (run 
control) files for fetchmail. 
 
2. Problem description and Impact 
================================= 
 
The fetchmailconf program before and excluding version 1.49 opened the 
run control file, wrote the configuration to it, and only then changed 
the mode to 0600 (rw-------). Writing the file, which usually contains 
passwords, before making it unreadable to other users, can expose 
sensitive password information. 
 
3. Workaround 
============= 
 
Run "umask 077", then run "fetchmailconf" from the same shell. After 
fetchmailconf has finished, you can restore your old umask. 
 
4. Solution 
=========== 
 
For users of fetchmail-6.2.5.2: 
------------------------------- 
Download fetchmailconf-1.43.2.gz from fetchmail's project site 
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>, 
gunzip it, then replace your existing fetchmailconf with it. 
 
For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: 
--------------------------------------------------------- 
update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21. 
<https://developer.berlios.de/project/showfiles.php?group_id=1824> 
 
A. References 
============= 
 
fetchmail home page: <http://fetchmail.berlios.de/> 
 
B. Copyright, License and Warranty 
================================== 
 
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>. 
Some rights reserved. 
 
This work is licensed under the Creative Commons 
Attribution-NonCommercial-NoDerivs German License. To view a copy of 
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ 
or send a letter to Creative Commons; 559 Nathan Abbott Way; 
Stanford, California 94305; USA. 
 
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. 
Use the information herein at your own risk. 
 
END OF fetchmail-SA-2005-02.txt
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-24 12:42:51 UTC
net-mail please provide an updated ebuild. 
Comment 2 Andrej Kacian (RETIRED) gentoo-dev 2005-10-24 22:44:44 UTC
fetchmail-6.2.5.2-r1 has been committed to CVS with fix for this bug. We fetch
latest fetchmailconf script (1.43.2) and replace it with the one shipped with
fetchmail, just as the security advisory suggests.

x86 is already tested and marked stable.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-10-24 23:23:39 UTC
Arches plz test fetchmail-6.2.5.2-r1 and mark stable, thx
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-25 07:04:34 UTC
sparc stable.
Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev 2005-10-25 07:58:39 UTC
alpha done
Comment 6 Brent Baude (RETIRED) gentoo-dev 2005-10-25 08:46:27 UTC
Marked ppc64 stable. Thanks
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2005-10-26 01:13:42 UTC
Stable on hppa
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-10-26 07:25:14 UTC
mips stable
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-26 10:53:54 UTC
Stable on ppc.
Comment 10 AJ Armstrong 2005-10-27 20:28:48 UTC
Tested net-mail/fetchmail-6.2.5.2-r1 for amd64.

Builds and loads.  Passes simple CLI functionality check against a POP3 secure
server.

No detailed regression testing, but as this is a security bump, tests stable for
amd64.

Portage 2.0.53_rc6 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3,
2.6.13-gentoo-r4 x86_64)
=================================================================
System uname: 2.6.13-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System version 1.12.0_pre9
ccache version 2.4 [enabled]
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -fweb -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env
/usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=k8 -O2 -pipe -fweb -ftracer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks multilib-strict sandbox sfperms strict
testing"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/etc/portage/overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cddb cdr cli crypt cups curl
dba directfb dts dv dvd dvdr dvdread eds emacs emboss encode esd fam fame fbcon
ffmpeg firefox foomaticdb gcj gd gdbm gif gpm gstreamer gtk gtk2 ieee1394
imagemagick imlib ipv6 java jikes jpeg junit ldap libwww lirc live lzw lzw-tiff
mad mjpeg mozilla mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg
oggvorbis opengl pam pcre pdflib perl png python qt quicktime readline real rtc
ruby sdl spell ssl tcpd tetex theora tiff truetype-fonts type1-fonts udev
unicode usb userlocales v4l v4l2 vorbis xine xml2 xmms xpm xv xvid zlib
userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 11 Luis Medinas (RETIRED) gentoo-dev 2005-10-27 20:32:48 UTC
amd64 done
Thanks aja
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 00:55:07 UTC
Ready for GLSA vote.
Race condition to get POP passwords if you work on a world-readable directory...
I tend to vote yes, but not a strong one.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-28 07:20:13 UTC
I tend to vote YES too. 
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-30 15:23:52 UTC
ia64 done.
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2005-11-02 09:13:31 UTC
I would vote a weak YES.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-11-02 09:23:54 UTC
OK let's make one, this one has waited too long
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-11-06 10:33:33 UTC
GLSA 200511-06