fetchmail-SA-2005-01: security announcement
Topic: remote code injection vulnerability in fetchmail
Author: Matthias Andree
Type: buffer overrun/stack corruption/code injection
Impact: account or system compromise possible through malicious
or compromised POP3 servers
Danger: high: in sensitive configurations, a full system
compromise is possible
CVE Name: CAN-2005-2335
Thanks: Edward J. Shornock (located the bug in UIDL code)
Miloslav Trmac (pointed out 184.108.40.206 was faulty)
Ludwig Nussel (provided minimal fix)
Affects: fetchmail version 220.127.116.11 (denial of service)
fetchmail version 6.2.5 (code injection)
fetchmail version 6.2.0 (code injection)
(other versions have not been checked)
Not affected: fetchmail 18.104.22.168
fetchmail 6.3.0 (not released yet)
Older versions may not have THIS bug, but had been found
to contain other security-relevant bugs.
Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
2005-07-22 fetchmail-patch-22.214.171.124 released
0. Release history
2005-07-20 1.00 - Initial announcement
2005-07-22 1.01 - Withdrew 126.96.36.199 and 6.2.6-pre5, the fix was buggy
and susceptible to denial of service through
single-byte read from 0 when either a Message-ID:
header was empty or the UIDL response did not
contain an URL.
- Add Credits.
- Add 188.8.131.52 failure details to sections 2 and 3
- Revise section 5 and B.
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.
2. Problem description
The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack. This affects POP3 and all of its
variants, for instance but not limited to APOP.
In fetchmail-184.108.40.206, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.
In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
In fetchmail-220.127.116.11, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash
No reasonable workaround can be offered at this time.
Upgrade your fetchmail package to version 18.104.22.168.
This requires the download of the fetchmail-6.2.5.tar.gz tarball and the
fetchmail-patch-22.214.171.124.gz from BerliOS:
To use the patch:
1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
had downloaded) and fetchmail-patch-126.96.36.199.tar.gz
2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
3. unpack the patch: gunzip fetchmail-patch-188.8.131.52.gz
4. apply the patch: cd fetchmail-6.2.5 ; patch -p1
5. now configure and build as usual - detailed instructions in the file
fetchmail home page: <http://fetchmail.berlios.de/>
B. Copyright, License and Warranty
(C) Copyright 2005 by Matthias Andree, <email@example.com>.
Some rights reserved.
This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END OF fetchmail-SA-2005-01.txt
*** Bug 99789 has been marked as a duplicate of this bug. ***
net-mail please provide an updated ebuild.
fetchmail-184.108.40.206.ebuild in CVS, unstable for all arches, except x86.
Arches please test and mark stable.
stable on ppc64
Stable on hppa
Stable on amd64.
Stable on ppc
Stable on alpha + ia64.
s390 don't forget to mark stable.