Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 227105 (CVE-2008-2711)

Summary: net-mail/fetchmail < 6.3.8-r2 Crash on large log messages in verbose mode (CVE-2008-2711)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-mail+disabled, releng
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.security.oss.general/535
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-15 09:46:27 UTC
Draft announcement:
---------------------------------------------------------------------
fetchmail-SA-2008-01: Crash on large log messages in verbose mode

Topics:         Crash in large log messages in verbose mode.

Author:         Matthias Andree
Version:        1.0
Announced:
Type:           Dereferencing garbage pointer trigged by outside circumstances
Impact:         denial of service possible
Danger:         low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)

Credits:        Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
CVE Name:       XXX
URL:            http://www.fetchmail.info/fetchmail-SA-2008-01.txt
Project URL:    http://www.fetchmail.info/

Affects:        fetchmail release < 6.3.9 exclusively

Not affected:   fetchmail release 6.3.9 and newer
                systems without varargs (stdargs.h) support.

Corrected:      2008-06-13 fetchmail SVN (rev XXX)


0. Release history
==================

2008-06-13 1.0  first draft for MITRE/CVE (visible in SVN)


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=================================

Gunter Nau reported fetchmail crashing on some messages; further
debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
dug up that this happened when fetchmail was trying to print, in -v -v
verbose level, headers exceeding 2048 bytes. In this situation,
fetchmail would resize the buffer and fill in further parts of the
message, but forget to reinitialize its va_list typed source pointer,
thus reading data from a garbage address found on the stack at
addresses above the function arguments the caller passed in; usually
that would be the caller's stack frame.

It is unknown whether code can be injected remotely, but given that
the segmentation fault is caused by read accesses, the relevant data
is not under the remote attacker's control and no buffer overrun
situation is present that would allow altering program /flow/, it is
deemed rather unlikely that code can be injected.

Note that the required -vv configuration at hand is both non-default
and also not common in automated (cron job) setups, but usually used
in manual debugging, so not many systems would be affected by the
problem. Nonetheless, in vulnerable configurations, it is remotely
exploitable to effect a denial of service attack.



3. Solution
===========

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
   fetchmail 6.3.8, recompile and reinstall it.

b. Install fetchmail 6.3.9 or newer when it becomes available.  The
   fetchmail source code is available from
   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.


4. Workaround
=============

Run fetchmail at low verbosity, avoid using two or three -v arguments;
internal messages are short and do not contain external message
sources so they do not cause buffer resizing. It is recommended to
replace the vulnerable code by a fixed version (see previous
section 3. Solution) as soon as reasonably possible.


A. Copyright, License and Warranty
==================================

(C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.



B. Patch to remedy the problem
==============================

diff --git a/report.c b/report.c
index 31d4e48..2a731ac 100644
--- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
     rep_ensuresize();

 #if defined(VA_START)
-    VA_START (args, message);
     for ( ; ; )
     {
+       /*
+        * args has to be initialized before every call of vsnprintf(),
+        * because vsnprintf() invokes va_arg macro and thus args is
+        * undefined after the call.
+        */
+       VA_START(args, message);
        n = vsnprintf (partial_message + partial_message_size_used,
partial_message_size - partial_message_size_used,
                       message, args);
+       va_end (args);

        if (n >= 0
            && (unsigned)n < partial_message_size - partial_message_size_used)
@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
        partial_message_size += 2048;
        partial_message = REALLOC (partial_message, partial_message_size);
     }
-    va_end (args);
 #else
     for ( ; ; )
     {

END OF fetchmail-SA-2008-01.txt
------------------------------------------------------------------------------------------
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-06-15 09:48:14 UTC
I know we did not handle bug 191154 as security bug, but I would consider fetchmail running in automated setups not "user" issues.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-15 11:12:44 UTC
I added fetchmail-6.3.8-r2 which includes this patch.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-06-15 11:26:30 UTC
Arches, please test and mark stable:
=net-mail/fetchmail-6.3.8-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2008-06-15 12:02:56 UTC
ppc64 done
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2008-06-15 12:22:26 UTC
Stable on alpha.
Comment 6 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-06-15 12:37:39 UTC
    ++++amd64++++

    1. Compiles.
    2. Installs correctly.
    3. Merges.
    4. Killing fetchmail and restarting it results in the bugspam keeping on coming
    in ;-)
    5. Starting in verbose mode and sending myself a large message does not result

    in a crash.
    Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
    2.6.24-gentoo-r8 x86_64)
    =================================================================
    System uname: 2.6.24-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+
    Timestamp of tree: Sun, 15 Jun 2008 12:00:01 +0000
    ccache version 2.4 [enabled]
    app-shells/bash:     3.2_p33
    dev-lang/python:     2.4.4-r13
    dev-python/pycrypto: 2.0.1-r6
    dev-util/ccache:     2.4-r7
    sys-apps/baselayout: 1.12.11.1
    sys-apps/sandbox:    1.2.18.1-r2
    sys-devel/autoconf:  2.13, 2.61-r1
    sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
    sys-devel/binutils:  2.18-r1
    sys-devel/gcc-config: 1.4.0-r4
    sys-devel/libtool:   1.5.26
    virtual/os-headers:  2.6.23-r3
    ACCEPT_KEYWORDS="amd64"
    CBUILD="x86_64-pc-linux-gnu"
    CFLAGS="-march=athlon64 -O2 -pipe"
    CHOST="x86_64-pc-linux-gnu"
    CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
    /usr/kde/3.5/shutdown /usr/kde/svn/env /usr/kde/svn/share/config
    /usr/kde/svn/shutdown /usr/share/config"
    CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
    /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c
    /etc/udev/rules.d"
    CXXFLAGS="-march=athlon64 -O2 -pipe"
    DISTDIR="/distfiles"
    FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict
    parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv"
    GENTOO_MIRRORS="http://distfiles.gentoo.org
    http://distro.ibiblio.org/pub/linux/distributions/gentoo"
    MAKEOPTS="-j2"
    PKGDIR="/usr/portage/packages"
    PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
    --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
    --exclude=/local --exclude=/packages"
    PORTAGE_TMPDIR="/var/tmp"
    PORTDIR="/usr/portage"
    PORTDIR_OVERLAY="/usr/portage/local/layman/science /overlay"
    SYNC="rsync://raptor.gentoo.osuosl.org/gentoo-portage"
    USE="X acl aiglx aim amd64 berkdb branding cli cracklib crypt cups dri fortran
    gdbm gpm gtk iconv imap ipv6 isdnlog midi mmx mpeg3 mudflap ncurses nls nptl
    nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection
    session sockets spl sqlite3 sse sse2 ssl tcpd unicode vim xcomposite xine xorg
    zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci
    emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
    maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
    ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
    hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
    share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
    authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
    authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
    dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
    headers include info log_config logio mem_cache mime mime_magic negotiation
    rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
    ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux"
    LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
    text" USERLAND="GNU" VIDEO_CARDS="nvidia"
    Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
    LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
    PORTAGE_RSYNC_EXTRA_OPTS

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-06-15 17:58:38 UTC
ia64/sparc/x86 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-15 18:46:03 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-16 18:36:49 UTC
Stable for HPPA.
Comment 10 Markus Meier gentoo-dev 2008-06-22 11:33:18 UTC
amd64 stable, thanks Thomas. (All security relevant arches should be done)
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-06-24 01:08:22 UTC
GLSA vote, I vote NO.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-24 15:04:00 UTC
voting NO too, and closing.