431284 – (CVE-2012-3482) <net-mail/fetchmail-6.3.22: DoS in NTLM protocol phase (CVE-2012-3482)

Bug 431284 (CVE-2012-3482) - <net-mail/fetchmail-6.3.22: DoS in NTLM protocol phase (CVE-2012-3482)

Summary: <net-mail/fetchmail-6.3.22: DoS in NTLM protocol phase (CVE-2012-3482)

Status:	RESOLVED FIXED

Alias:	CVE-2012-3482

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-08-13 21:56 UTC by Agostino Sarubbo
Modified:	2012-12-11 17:37 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-08-13 21:56:48 UTC

From oss-security:


etchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics:         fetchmail denial of service in NTLM protocol phase

Author:         Matthias Andree
Version:        draft
Announced:      2012-08-13
Type:           crash while reading from bad memory location
Impact:         fetchmail segfaults and aborts, stalling inbound mail
Danger:         low
Acknowledgment: J. Porter Clark

CVE Name:       (TBD)
URL:            http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL:    http://www.fetchmail.info/

Affects:        - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected:   - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in:   2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

Comment 1 Tim Harder gentoo-dev

2012-08-30 17:29:20 UTC

6.3.22 added to CVS.

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-08-30 20:51:45 UTC

(In reply to comment #1)
> 6.3.22 added to CVS.

Thanks, Tim. May we proceed with stabilization?

Comment 3 Tim Harder gentoo-dev

2012-09-03 05:18:45 UTC

(In reply to comment #2)
> Thanks, Tim. May we proceed with stabilization?

Of course.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2012-09-03 19:11:50 UTC

Thanks. Arches, please test and mark stable:
=net-mail/fetchmail-6.3.22
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2012-09-04 15:45:38 UTC

Stable for HPPA.

Comment 6 Mark Reiche 2012-09-06 06:41:48 UTC

x86: compile,test, run, repoman OK

Comment 7 Agostino Sarubbo gentoo-dev

2012-09-06 16:01:05 UTC

amd64 stable

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-09-13 07:21:07 UTC

x86 stable

Comment 9 Markus Meier gentoo-dev

2012-09-14 18:49:30 UTC

arm stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2012-09-23 17:36:56 UTC

alpha/ia64/s390/sh/sparc stable

Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2012-09-26 16:00:14 UTC

ppc64 stable

Comment 12 Brent Baude (RETIRED) gentoo-dev

2012-10-05 15:52:03 UTC

ppc done

Comment 13 Sean Amoss (RETIRED) gentoo-dev

2012-10-25 13:08:26 UTC

Thanks, everyone.

GLSA vote: no.

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2012-12-11 17:37:56 UTC

GLSA Vote: no. Closing noglsa.