copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
By Operating...
»
UNIX (all)
»
Solaris
» AU-2008.0014 -- AusCERT Update - [UNIX/Linux] - Re-R...
AU-2008.0014 -- AusCERT Update - [UNIX/Linux] - Re-Release of fetchmail patch for CVE-2008-2711
Date:
25 June 2008
References
:
AA-2008.0136
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AusCERT Update AU-2008.0014 - [UNIX/Linux] Re-Release of fetchmail patch for CVE-2008-2711 25 June 2008 AusCERT Update Summary ---------------------- Product: fetchmail 6.3.8 and prior Publisher: Fetchmail Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2008-2711 Ref: AA-2008.0136 Original Bulletin: http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 fetchmail-SA-2008-01: Crash on large log messages in verbose mode Topics: Crash in large log messages in verbose mode. Author: Matthias Andree Version: 1.2 Announced: 2008-06-17 Type: Dereferencing garbage pointer triggered by outside circumstances Impact: denial of service possible Danger: low CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C) Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report) CVE Name: CVE-2008-2711 URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt Project URL: http://www.fetchmail.info/ Affects: fetchmail release before and excluding 6.3.9 fetchmail release candidate 6.3.9-rc1 Not affected: fetchmail release 6.3.9 and newer fetchmail release candidate 6.3.9-rc2 and newer systems without varargs support. Corrected: 2008-06-24 fetchmail SVN (rev 5205) References: <https://bugzilla.novell.com/show_bug.cgi?id=354291> <http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824> 0. Release history ================== 2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN, posted to oss-security) 2008-06-17 1.0 published on http://www.fetchmail.info/ 2008-06-17 1.1 Corrected typo in Type: above (trigged -> triggered) 2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel) 1. Background ============= fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named "fetchmailconf" to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact ================================= Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame. It is unknown whether code can be injected remotely, but given that the segmentation fault is caused by read accesses, the relevant data is not under the remote attacker's control and no buffer overrun situation is present that would allow altering program /flow/, it is deemed rather unlikely that code can be injected. Note that the required -vv configuration at hand is both non-default and also not common in automated (cron job) setups, but usually used in manual debugging, so not many systems would be affected by the problem. Nonetheless, in vulnerable configurations, it is remotely exploitable to effect a denial of service attack. 3. Solution =========== There are two alternatives, either of them by itself is sufficient: a. Apply the patch found in section B of this announcement to fetchmail 6.3.8, recompile and reinstall it. b. Install fetchmail 6.3.9 or newer after it will have become available. The fetchmail source code is always available from <http://developer.berlios.de/project/showfiles.php?group_id=1824>. 4. Workaround ============= Run fetchmail at low verbosity, avoid using two or three -v arguments; internal messages are short and do not contain external message sources so they do not cause buffer resizing. It is recommended to replace the vulnerable code by a fixed version (see previous section 3. Solution) as soon as reasonably possible. A. Copyright, License and Warranty ================================== (C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. B. Patch to remedy the problem ============================== Note that when taking this from a GnuPG clearsigned file, the lines starting with a "-" character are prefixed by another "- " (dash + blank) combination. Either feed this file through GnuPG to strip them, or strip them manually. Whitespace differences can usually be ignored by invoking "patch -l", so try this if the patch does not apply. diff --git a/report.c b/report.c index 31d4e48..320e60b 100644 - - --- a/report.c +++ b/report.c @@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist) rep_ensuresize(); #if defined(VA_START) - - - VA_START (args, message); for ( ; ; ) { + /* + * args has to be initialized before every call of vsnprintf(), + * because vsnprintf() invokes va_arg macro and thus args is + * undefined after the call. + */ + VA_START(args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end (args); if (n >= 0 && (unsigned)n < partial_message_size - partial_message_size_used) @@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist) partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - - - va_end (args); #else for ( ; ; ) { @@ -304,12 +309,13 @@ report_complete (FILE *errfp, message, va_alist) rep_ensuresize(); #if defined(VA_START) - - - VA_START (args, message); for ( ; ; ) { + VA_START(args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end(args); /* old glibc versions return -1 for truncation */ if (n >= 0 @@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist) partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - - - va_end (args); #else for ( ; ; ) { END OF fetchmail-SA-2008-01.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIYPBuvmGDOQUufZURAuj8AJ9IbN/UMcML6NLKSI0keQzGVGzZSQCg+UCP tUVNigLK8Xz40J2Eg7PD8Xs= =HAmn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSGHIvSh9+71yA2DNAQJOYwP/VeCl+nySdcCq47xQyzTcVUcbIJonah+4 4bxGk5TQYUJo/byzl9VUx5jbNqT5SvQyz/W3xd3S4LeCuo6IDgz8T57AvYx15vlu Oy5h2ios+HHYEZG8L55RKzrP4lwaiS0H4+SWmPnzVIHP16BSN8Z1ooFdcD6thY8P 5xodKQV+DQc= =33vo -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=33&it=9505