Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 99865 - net-mail/fetchmail remote code injection (CAN-2005-2335)
Summary: net-mail/fetchmail remote code injection (CAN-2005-2335)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://fetchmail.berlios.de/fetchmail...
Whiteboard: A2? [glsa] jaervosz
Keywords:
: 99789 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-07-21 22:19 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-06-24 23:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-07-21 22:19:50 UTC
fetchmail-SA-2005-01: security announcement 
 
Topic:		remote code injection vulnerability in fetchmail 
 
Author:		Matthias Andree 
Version:	1.01 
Announced:	2005-07-21 
Type:		buffer overrun/stack corruption/code injection 
Impact:		account or system compromise possible through malicious 
		or compromised POP3 servers 
Danger:		high: in sensitive configurations, a full system 
		compromise is possible 
CVE Name:	CAN-2005-2335 
URL:		http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt 
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762 
		
http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html 
		http://www.freebsd.org/cgi/query-pr.cgi?pr=83805 
Thanks:		Edward J. Shornock (located the bug in UIDL code) 
		Miloslav Trmac (pointed out 6.2.5.1 was faulty) 
		Ludwig Nussel (provided minimal fix) 
 
Affects:	fetchmail version 6.2.5.1 (denial of service) 
		fetchmail version 6.2.5 (code injection) 
		fetchmail version 6.2.0 (code injection) 
		(other versions have not been checked) 
 
Not affected:	fetchmail 6.2.5.2 
		fetchmail 6.2.6-pre6 
		fetchmail 6.3.0      (not released yet) 
 
		Older versions may not have THIS bug, but had been found 
		to contain other security-relevant bugs. 
 
Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157) 
		2005-07-22                   fetchmail-patch-6.2.5.2 released 
 
0. Release history 
 
2005-07-20	1.00 - Initial announcement 
2005-07-22	1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy 
		       and susceptible to denial of service through 
		       single-byte read from 0 when either a Message-ID: 
		       header was empty or the UIDL response did not 
		       contain an URL. 
		     - Add Credits. 
		     - Add 6.2.5.1 failure details to sections 2 and 3 
		     - Revise section 5 and B. 
 
1. Background 
 
fetchmail is a software package to retrieve mail from remote POP2, POP3, 
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or 
message delivery agents. 
 
2. Problem description 
 
The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from 
the UIDL) reads the responses returned by the POP3 server into 
fixed-size buffers allocated on the stack, without limiting the input 
length to the buffer size. A compromised or malicious POP3 server can 
thus overrun fetchmail's stack.  This affects POP3 and all of its 
variants, for instance but not limited to APOP. 
 
In fetchmail-6.2.5.1, the attempted fix prevented code injection via 
POP3 UIDL, but introduced two possible NULL dereferences that can be 
exploited to mount a denial of service attack. 
 
3. Impact 
 
In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to 
crash, or potentially make it execute code placed on the stack. In some 
configurations, fetchmail is run by the root user to download mail for 
multiple accounts. 
 
In fetchmail-6.2.5.1, a server that responds with UID lines containing 
only the article number but no UID (in violation of RFC-1939), or a 
message without Message-ID when no UIDL support is available, can crash 
fetchmail. 
 
4. Workaround 
 
No reasonable workaround can be offered at this time. 
 
5. Solution 
 
Upgrade your fetchmail package to version 6.2.5.2. 
 
This requires the download of the fetchmail-6.2.5.tar.gz tarball and the 
fetchmail-patch-6.2.5.2.gz from BerliOS: 
 
<http://developer.berlios.de/project/showfiles.php?group_id=1824> 
 
To use the patch: 
 
  1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already 
     had downloaded) and fetchmail-patch-6.2.5.2.tar.gz 
  2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf - 
  3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz 
  4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 
<../fetchmail-patch-6.2.5.2 
  5. now configure and build as usual - detailed instructions in the file 
     named "INSTALL". 
 
A. References 
 
fetchmail home page: <http://fetchmail.berlios.de/> 
 
B. Copyright, License and Warranty 
 
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>. 
Some rights reserved. 
 
This work is licensed under the Creative Commons 
Attribution-NonCommercial-NoDerivs German License. To view a copy of 
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ 
or send a letter to Creative Commons; 559 Nathan Abbott Way; 
Stanford, California 94305; USA. 
 
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. 
Use the information herein at your own risk. 
 
END OF fetchmail-SA-2005-01.txt
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-21 22:21:37 UTC
*** Bug 99789 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-21 22:22:03 UTC
net-mail please provide an updated ebuild. 
Comment 3 Andrej Kacian (RETIRED) gentoo-dev 2005-07-22 01:55:28 UTC
fetchmail-6.2.5.2.ebuild in CVS, unstable for all arches, except x86.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-22 01:59:03 UTC
Arches please test and mark stable. 
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-07-22 03:13:11 UTC
stable on ppc64
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-22 06:14:01 UTC
sparc stable.
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2005-07-22 06:29:41 UTC
Stable on hppa
Comment 8 Herbie Hopkins (RETIRED) gentoo-dev 2005-07-22 08:49:49 UTC
Stable on amd64.
Comment 9 Jory A. Pratt 2005-07-22 23:54:12 UTC
Stable on ppc
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-23 13:47:04 UTC
Stable on alpha + ia64.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-25 11:12:02 UTC
GLSA 200507-21 
 
s390 don't forget to mark stable.