fetchmail-SA-2005-02: security announcement Topic: password exposure in fetchmailconf Author: Matthias Andree Version: 1.01 Announced: 2005-10-21 Type: insecure creation of file Impact: passwords are written to a world-readable file Danger: medium Credits: Thomas Wolff, Miloslav Trmac for pointing out that fetchmailconf 1.43.1 was also flawed CVE Name: CAN-2005-3088 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt Affects: fetchmail version 6.2.5.2 fetchmail version 6.2.5 fetchmail version 6.2.0 fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and 6.2.5.2) fetchmailconf 1.43.1 (shipped separately, now withdrawn) (other versions have not been checked but are presumed affected) Not affected: fetchmail 6.2.9-rc6 fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) fetchmailconf 1.49 (shipped with 6.2.9-rc6) fetchmail 6.3.0 (not released yet) Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) 2005-10-21 - released fetchmailconf-1.43.2 2005-10-21 - released fetchmail 6.2.9-rc6 0. Release history ================== 2005-10-21 1.00 (shipped with -rc6) 2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4, added Credits) 1. Background ============= fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named "fetchmailconf" to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact ================================= The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed the mode to 0600 (rw-------). Writing the file, which usually contains passwords, before making it unreadable to other users, can expose sensitive password information. 3. Workaround ============= Run "umask 077", then run "fetchmailconf" from the same shell. After fetchmailconf has finished, you can restore your old umask. 4. Solution =========== For users of fetchmail-6.2.5.2: ------------------------------- Download fetchmailconf-1.43.2.gz from fetchmail's project site <http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>, gunzip it, then replace your existing fetchmailconf with it. For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: --------------------------------------------------------- update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21. <https://developer.berlios.de/project/showfiles.php?group_id=1824> A. References ============= fetchmail home page: <http://fetchmail.berlios.de/> B. Copyright, License and Warranty ================================== (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-02.txt
net-mail please provide an updated ebuild.
fetchmail-6.2.5.2-r1 has been committed to CVS with fix for this bug. We fetch latest fetchmailconf script (1.43.2) and replace it with the one shipped with fetchmail, just as the security advisory suggests. x86 is already tested and marked stable.
Arches plz test fetchmail-6.2.5.2-r1 and mark stable, thx
sparc stable.
alpha done
Marked ppc64 stable. Thanks
Stable on hppa
mips stable
Stable on ppc.
Tested net-mail/fetchmail-6.2.5.2-r1 for amd64. Builds and loads. Passes simple CLI functionality check against a POP3 secure server. No detailed regression testing, but as this is a security bump, tests stable for amd64. Portage 2.0.53_rc6 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3, 2.6.13-gentoo-r4 x86_64) ================================================================= System uname: 2.6.13-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.12.0_pre9 ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks multilib-strict sandbox sfperms strict testing" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/etc/portage/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cddb cdr cli crypt cups curl dba directfb dts dv dvd dvdr dvdread eds emacs emboss encode esd fam fame fbcon ffmpeg firefox foomaticdb gcj gd gdbm gif gpm gstreamer gtk gtk2 ieee1394 imagemagick imlib ipv6 java jikes jpeg junit ldap libwww lirc live lzw lzw-tiff mad mjpeg mozilla mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl pam pcre pdflib perl png python qt quicktime readline real rtc ruby sdl spell ssl tcpd tetex theora tiff truetype-fonts type1-fonts udev unicode usb userlocales v4l v4l2 vorbis xine xml2 xmms xpm xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
amd64 done Thanks aja
Ready for GLSA vote. Race condition to get POP passwords if you work on a world-readable directory... I tend to vote yes, but not a strong one.
I tend to vote YES too.
ia64 done.
I would vote a weak YES.
OK let's make one, this one has waited too long
GLSA 200511-06