804921 – (CVE-2021-36386) <net-mail/fetchmail-6.4.20: Denial of service when fetching long messages (CVE-2021-36386)

Bug 804921 (CVE-2021-36386) - <net-mail/fetchmail-6.4.20: Denial of service when fetching long messages (CVE-2021-36386)

Summary: <net-mail/fetchmail-6.4.20: Denial of service when fetching long messages (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2021-36386

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.fetchmail.info/fetchmail-...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-07-28 21:40 UTC by Sam James
Modified:	2022-09-25 13:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	net-mail/fetchmail-6.4.21-r1
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-07-28 21:40:08 UTC

2. Problem description and Impact
=================================

Fetchmail has long had support to assemble log/error messages that are 
generated piecemeal, and takes care to reallocate the output buffer as needed.  
In the reallocation case, i. e. when long log messages are assembled that can 
stem from very long headers, and on systems that have a varargs.h/stdarg.h 
interface (all modern systems), fetchmail's code would fail to reinitialize 
the va_list argument to vsnprintf. 

The exact effects depend on the verbose mode (how many -v are given) of 
fetchmail, computer architecture, compiler, operating system and 
configuration.  On some systems, the code just works without ill effects, some 
systems log a garbage message (potentially disclosing sensitive information), 
some systems log literally "(null)", some systems trigger SIGSEGV (signal 
#11), which crashes fetchmail, causing a denial of service on fetchmail's end.


3. Solution
===========

Install fetchmail 6.4.20 or newer.

The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.

Distributors are encouraged to review the NEWS file and move forward to 
6.4.20, rather than backport individual security fixes, because doing so 
routinely misses other fixes crucial to fetchmail's proper operation, 
for which no security announcements are issued, or documentation,
or translation updates.

Fetchmail 6.4.X releases have been made with a focus on unchanged user and 
program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 
6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface 
incompatibly.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:20:19 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:28:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:36:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:44:24 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:52:24 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:56:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:00:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:08:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 Bernard Cafarelli gentoo-dev

2021-07-29 19:02:23 UTC

6.4.20 only contains the mentioned security fix on top of our current stable 6.4.19, so we can bump and mark it stable safely.

Comment 10 Sam James archtester

2021-07-30 03:12:37 UTC

(In reply to Bernard Cafarelli from comment #9)
> 6.4.20 only contains the mentioned security fix on top of our current stable
> 6.4.19, so we can bump and mark it stable safely.

Thank you!

Comment 11 Sam James archtester

2021-07-30 06:12:49 UTC

x86 done

Comment 12 Agostino Sarubbo gentoo-dev

2021-07-30 15:18:42 UTC

sparc stable

Comment 13 Sam James archtester

2021-07-30 22:35:39 UTC

amd64 done

Comment 14 Sam James archtester

2021-07-30 22:36:00 UTC

arm done

Comment 15 Sam James archtester

2021-07-31 04:13:48 UTC

ppc64 done

Comment 16 Sam James archtester

2021-07-31 04:13:51 UTC

ppc done

all arches done

Comment 17 Larry the Git Cow gentoo-dev

2021-08-03 19:58:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f190d1fd7da098624e5f9bed8f534c53b07d91c

commit 1f190d1fd7da098624e5f9bed8f534c53b07d91c
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-08-03 19:58:27 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-08-03 19:58:27 +0000

    net-mail/fetchmail: drop vulnerable version
    
    Bug: https://bugs.gentoo.org/804921
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-mail/fetchmail/Manifest                |   1 -
 net-mail/fetchmail/fetchmail-6.4.19.ebuild | 107 -----------------------------
 2 files changed, 108 deletions(-)

Comment 18 Sam James archtester

2021-08-03 22:58:40 UTC

Thanks!

Comment 19 Larry the Git Cow gentoo-dev

2021-08-21 16:07:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfcd4678edd09ba6315f6d4fd358455772e2f957

commit dfcd4678edd09ba6315f6d4fd358455772e2f957
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-08-21 16:07:08 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-08-21 16:07:23 +0000

    net-mail/fetchmail: 6.4.21 direct stable bump
    
    This is a regression fix on security stable 6.4.20, see upstream README
    
    Bug: https://bugs.gentoo.org/804921
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    RepoMan-Options: --force
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-mail/fetchmail/Manifest                                             | 2 +-
 net-mail/fetchmail/{fetchmail-6.4.20.ebuild => fetchmail-6.4.21.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

Comment 20 NATTkA bot gentoo-dev

2021-08-21 16:12:25 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-mail/fetchmail-6.4.20

Comment 21 NATTkA bot gentoo-dev

2021-09-13 20:32:32 UTC

Unable to check for sanity:

> no match for package: net-mail/fetchmail-6.4.21

Comment 22 John Helmert III archtester

2022-09-19 05:04:45 UTC

GLSA request filed

Comment 23 John Helmert III archtester

2022-09-25 13:44:27 UTC

GLSA released, all done!

Comment 24 Larry the Git Cow gentoo-dev

2022-09-25 13:57:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=10e37684de32c903d014e181ca429e2850397264

commit 10e37684de32c903d014e181ca429e2850397264
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-25 13:35:56 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-25 13:42:21 +0000

    [ GLSA 202209-14 ] Fetchmail: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/804921
    Bug: https://bugs.gentoo.org/810676
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-14.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)