Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431284 (CVE-2012-3482)

Summary: <net-mail/fetchmail-6.3.22: DoS in NTLM protocol phase (CVE-2012-3482)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-08-13 21:56:48 UTC
From oss-security:

etchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics:         fetchmail denial of service in NTLM protocol phase

Author:         Matthias Andree
Version:        draft
Announced:      2012-08-13
Type:           crash while reading from bad memory location
Impact:         fetchmail segfaults and aborts, stalling inbound mail
Danger:         low
Acknowledgment: J. Porter Clark

CVE Name:       (TBD)
Project URL:

Affects:        - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected:   - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in:   2012-08-13 Git, among others, see commit

                2012-08-xx fetchmail 6.3.22 release tarball
Comment 1 Tim Harder gentoo-dev 2012-08-30 17:29:20 UTC
6.3.22 added to CVS.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-30 20:51:45 UTC
(In reply to comment #1)
> 6.3.22 added to CVS.

Thanks, Tim. May we proceed with stabilization?
Comment 3 Tim Harder gentoo-dev 2012-09-03 05:18:45 UTC
(In reply to comment #2)
> Thanks, Tim. May we proceed with stabilization?

Of course.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-09-03 19:11:50 UTC
Thanks. Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-09-04 15:45:38 UTC
Stable for HPPA.
Comment 6 Mark Reiche 2012-09-06 06:41:48 UTC
x86: compile,test, run, repoman OK
Comment 7 Agostino Sarubbo gentoo-dev 2012-09-06 16:01:05 UTC
amd64 stable
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:21:07 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2012-09-14 18:49:30 UTC
arm stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-09-23 17:36:56 UTC
alpha/ia64/s390/sh/sparc stable
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-26 16:00:14 UTC
ppc64 stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2012-10-05 15:52:03 UTC
ppc done
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-25 13:08:26 UTC
Thanks, everyone.

GLSA vote: no.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-12-11 17:37:56 UTC
GLSA Vote: no. Closing noglsa.