Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 804921 (CVE-2021-36386) - <net-mail/fetchmail-6.4.20: Denial of service when fetching long messages (CVE-2021-36386)
Summary: <net-mail/fetchmail-6.4.20: Denial of service when fetching long messages (CV...
Status: IN_PROGRESS
Alias: CVE-2021-36386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.fetchmail.info/fetchmail-...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-28 21:40 UTC by Sam James
Modified: 2021-09-15 07:21 UTC (History)
1 user (show)

See Also:
Package list:
net-mail/fetchmail-6.4.21-r1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-07-28 21:40:08 UTC
2. Problem description and Impact
=================================

Fetchmail has long had support to assemble log/error messages that are 
generated piecemeal, and takes care to reallocate the output buffer as needed.  
In the reallocation case, i. e. when long log messages are assembled that can 
stem from very long headers, and on systems that have a varargs.h/stdarg.h 
interface (all modern systems), fetchmail's code would fail to reinitialize 
the va_list argument to vsnprintf. 

The exact effects depend on the verbose mode (how many -v are given) of 
fetchmail, computer architecture, compiler, operating system and 
configuration.  On some systems, the code just works without ill effects, some 
systems log a garbage message (potentially disclosing sensitive information), 
some systems log literally "(null)", some systems trigger SIGSEGV (signal 
#11), which crashes fetchmail, causing a denial of service on fetchmail's end.


3. Solution
===========

Install fetchmail 6.4.20 or newer.

The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.

Distributors are encouraged to review the NEWS file and move forward to 
6.4.20, rather than backport individual security fixes, because doing so 
routinely misses other fixes crucial to fetchmail's proper operation, 
for which no security announcements are issued, or documentation,
or translation updates.

Fetchmail 6.4.X releases have been made with a focus on unchanged user and 
program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 
6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface 
incompatibly.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:20:19 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:28:21 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:36:21 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:44:24 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:52:24 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:56:23 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:00:23 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:08:23 UTC Comment hidden (obsolete)
Comment 9 Bernard Cafarelli gentoo-dev 2021-07-29 19:02:23 UTC
6.4.20 only contains the mentioned security fix on top of our current stable 6.4.19, so we can bump and mark it stable safely.
Comment 10 Sam James archtester gentoo-dev Security 2021-07-30 03:12:37 UTC
(In reply to Bernard Cafarelli from comment #9)
> 6.4.20 only contains the mentioned security fix on top of our current stable
> 6.4.19, so we can bump and mark it stable safely.

Thank you!
Comment 11 Sam James archtester gentoo-dev Security 2021-07-30 06:12:49 UTC
x86 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-07-30 15:18:42 UTC
sparc stable
Comment 13 Sam James archtester gentoo-dev Security 2021-07-30 22:35:39 UTC
amd64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-07-30 22:36:00 UTC
arm done
Comment 15 Sam James archtester gentoo-dev Security 2021-07-31 04:13:48 UTC
ppc64 done
Comment 16 Sam James archtester gentoo-dev Security 2021-07-31 04:13:51 UTC
ppc done

all arches done
Comment 17 Larry the Git Cow gentoo-dev 2021-08-03 19:58:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f190d1fd7da098624e5f9bed8f534c53b07d91c

commit 1f190d1fd7da098624e5f9bed8f534c53b07d91c
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-08-03 19:58:27 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-08-03 19:58:27 +0000

    net-mail/fetchmail: drop vulnerable version
    
    Bug: https://bugs.gentoo.org/804921
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-mail/fetchmail/Manifest                |   1 -
 net-mail/fetchmail/fetchmail-6.4.19.ebuild | 107 -----------------------------
 2 files changed, 108 deletions(-)
Comment 18 Sam James archtester gentoo-dev Security 2021-08-03 22:58:40 UTC
Thanks!
Comment 19 Larry the Git Cow gentoo-dev 2021-08-21 16:07:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfcd4678edd09ba6315f6d4fd358455772e2f957

commit dfcd4678edd09ba6315f6d4fd358455772e2f957
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-08-21 16:07:08 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-08-21 16:07:23 +0000

    net-mail/fetchmail: 6.4.21 direct stable bump
    
    This is a regression fix on security stable 6.4.20, see upstream README
    
    Bug: https://bugs.gentoo.org/804921
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    RepoMan-Options: --force
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-mail/fetchmail/Manifest                                             | 2 +-
 net-mail/fetchmail/{fetchmail-6.4.20.ebuild => fetchmail-6.4.21.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 20 NATTkA bot gentoo-dev 2021-08-21 16:12:25 UTC Comment hidden (obsolete)
Comment 21 NATTkA bot gentoo-dev 2021-09-13 20:32:32 UTC
Unable to check for sanity:

> no match for package: net-mail/fetchmail-6.4.21