[pkg-fetchmail-maint] [nico@ngolde.de: [nico@ngolde.de: Fetchmail:
Security update needed]]
Nico Golde
nico at ngolde.de
Thu Jul 21 16:13:21 UTC 2005
Hi this is the mail i sent to the security team.
Regards Nico
----- Forwarded message from Nico Golde <nico at ngolde.de> -----
From: Nico Golde <nico at ngolde.de>
To: team at security.debian.org
Subject: Fetchmail: Security update needed
X-Mailer: Mutt-ng http://www.muttng.org
X-Operating-System: Debian GNU/Linux sid
User-Agent: mutt-ng devel-r316 (Debian)
Dear Security-Team,
Bug #212762 in the Debian BTS allows remote root
exploitation for clients running fetchmail from a
manipulated pop3 server.
This bug has been assigned the cve id CAN-2005-2335.
It is not yet available but during the meantime see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
All versions in Debian are affected.
I'll upload a fixed version for unstable as soon as
possible. A patch for stable is
attached.
As far as I can see this oldstable release is not affected
because uidl's weren't implemented in the way they are in
stable but upstream don't want to have a look at it.
If you have the time it would be nice if you would have a
look on it too.
Regards Nico
--
Nico Golde - JAB: nion at jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
diff -Nur fetchmail-6.2.5/MANIFEST fetchmail-6.2.5.1/MANIFEST
--- fetchmail-6.2.5/MANIFEST 2003-10-16 00:41:51.000000000 +0200
+++ fetchmail-6.2.5.1/MANIFEST 2005-07-20 18:59:46.000000000 +0200
@@ -37,7 +37,6 @@
contrib/PopDel.py
contrib/poptest
contrib/preauth-harness
-contrib/RCS
contrib/README
contrib/README.getmail
contrib/redhat_rc
@@ -159,6 +158,7 @@
socket.h
specgen.sh
strcasecmp.c
+strlcpy.c
strstr.c
TODO
todo.html
diff -Nur fetchmail-6.2.5/Makefile.in fetchmail-6.2.5.1/Makefile.in
--- fetchmail-6.2.5/Makefile.in 2003-10-16 00:38:18.000000000 +0200
+++ fetchmail-6.2.5.1/Makefile.in 2005-07-20 19:02:41.000000000 +0200
@@ -4,7 +4,7 @@
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
-VERSION = 6.2.5
+VERSION = 6.2.5.1
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
@@ -93,7 +93,7 @@
transact.o sink.o rfc822.o smtp.o xmalloc.o uid.o mxget.o md5ify.o \
cram.o kerberos.o gssapi.o opie.o rpa.o interface.o netrc.o base64.o \
report.o unmime.o conf.o checkalias.o smbdes.o smbencrypt.o smbmd4.o \
- smbutil.o ipv6-connect.o lock.o
+ smbutil.o ipv6-connect.o lock.o strlcpy.o
objs = $(protobjs) $(EXTRAOBJ)
@@ -109,7 +109,8 @@
$(srcdir)/netrc.c $(srcdir)/base64.c $(srcdir)/report.c \
$(srcdir)/unmime.c $(srcdir)/conf.c $(srcdir)/checkalias.c \
$(srcdir)/smbdes.c $(srcdir)/smbencrypt.c $(srcdir)/smbmd4.c \
- $(srcdir)/smbutil.c $(srcdir)/ipv6-connect.c $(srcdir)/lock.c
+ $(srcdir)/smbutil.c $(srcdir)/ipv6-connect.c $(srcdir)/lock.c \
+ $(srcdir)/strlcpy.c
.SUFFIXES:
.SUFFIXES: .o .c .h .y .l .ps .dvi .info .texi
diff -Nur fetchmail-6.2.5/NEWS fetchmail-6.2.5.1/NEWS
--- fetchmail-6.2.5/NEWS 2003-10-16 00:40:17.000000000 +0200
+++ fetchmail-6.2.5.1/NEWS 2005-07-20 19:04:38.000000000 +0200
@@ -2,6 +2,16 @@
(The `lines' figures total .c, .h, .l, and .y files under version control.)
+fetchmail-6.2.5.1 (Wed Jul 20 16:28 GMT 2005):
+
+* NOTE: Due to a Makefile.in bug, you may need to use GNU make
+* SECURITY FIX: truncate UIDL replies, lest malicious or compromised
+ POP3 servers overflow fetchmail's stack. Debian bug #212762.
+ This is a remote root exploit. CVE number has been requested and will
+ be published on http://fetchmail.berlios.de/ and to the Debian BTS.
+* Critical fix: omit blank between MAIL FROM: and <user at example.org>,
+ as this causes mail loss with some listeners.
+
fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
* Updated Spanish, Turkish, and German translation files.
diff -Nur fetchmail-6.2.5/pop3.c fetchmail-6.2.5.1/pop3.c
--- fetchmail-6.2.5/pop3.c 2003-10-15 21:22:31.000000000 +0200
+++ fetchmail-6.2.5.1/pop3.c 2005-07-20 18:33:26.000000000 +0200
@@ -16,7 +16,8 @@
#if defined(STDC_HEADERS)
#include <stdlib.h>
#endif
-
+#include <errno.h>
+
#include "fetchmail.h"
#include "socket.h"
#include "i18n.h"
@@ -590,7 +591,8 @@
return(PS_SUCCESS);
}
-static int pop3_gettopid( int sock, int num , char *id)
+#define POSIX_space "\t\n\v\f\r "
+static int pop3_gettopid(int sock, int num , char *id, size_t idsize)
{
int ok;
int got_it;
@@ -603,25 +605,51 @@
{
if (DOTLINE(buf))
break;
- if ( ! got_it && ! strncasecmp("Message-Id:", buf, 11 )) {
- got_it = 1;
- /* prevent stack overflows */
- buf[IDLEN+12] = 0;
- sscanf( buf+12, "%s", id);
+ if (!got_it && 0 == strncasecmp("Message-Id:", buf, 11)) {
+ char *p = buf + 11;
+ p += strspn(p, POSIX_space);
+ p = strtok(p, POSIX_space);
+ strlcpy(id, p, idsize);
}
}
return 0;
}
-static int pop3_getuidl( int sock, int num , char *id)
+/** Parse destructively the UID response (leading +OK must have been
+ * stripped off) in buf, store the number in gotnum, and store the ID
+ * into the caller-provided buffer "id" of size "idsize".
+ * Returns PS_SUCCESS or PS_PROTOCOL for failure. */
+static int parseuid(char *buf, unsigned long *gotnum, char *id, size_t idsize)
+{
+ char *i, *j;
+
+ i = strtok(buf, POSIX_space);
+ errno = 0;
+ *gotnum = strtoul(i, &j, 10);
+ if (*j != '\0' || j == i || errno) {
+ report(stderr, GT_("Cannot handle UIDL response from upstream server.\n"));
+ return PS_PROTOCOL;
+ }
+ i = strtok(NULL, POSIX_space);
+ strlcpy(id, i, idsize);
+ return PS_SUCCESS;
+}
+
+static int pop3_getuidl(int sock, int num , char *id, size_t idsize)
{
int ok;
char buf [POPBUFSIZE+1];
+ unsigned long gotnum;
+
gen_send(sock, "UIDL %d", num);
if ((ok = pop3_ok(sock, buf)) != 0)
return(ok);
- if (sscanf(buf, "%d %s", &num, id) != 2)
- return(PS_PROTOCOL);
+ if ((ok = parseuid(buf, &gotnum, id, idsize)))
+ return ok;
+ if (gotnum != num) {
+ report(stderr, GT_("Server responded with UID for wrong message.\n"));
+ return PS_PROTOCOL;
+ }
return(PS_SUCCESS);
}
@@ -638,7 +666,7 @@
struct idlist *new;
try_nr = (first_nr + last_nr) / 2;
- if( (ok = pop3_getuidl( sock, try_nr, id )) != 0 )
+ if ((ok = pop3_getuidl(sock, try_nr, id, sizeof(id))) != 0)
return ok;
if ((new = str_in_list(&ctl->oldsaved, id, FALSE)))
{
@@ -700,10 +728,10 @@
int first_nr, list_len, try_id, try_nr, add_id;
int num;
char id [IDLEN+1];
-
- if( (ok = pop3_gettopid( sock, 1, id )) != 0 )
+
+ if ((ok = pop3_gettopid(sock, 1, id, sizeof(id))) != 0)
return ok;
-
+
if( ( first_nr = str_nr_in_list(&ctl->oldsaved, id) ) == -1 ) {
/* the first message is unknown -> all messages are new */
*newp = *countp;
@@ -715,7 +743,7 @@
try_id = list_len - first_nr; /* -1 + 1 */
if( try_id > 1 ) {
if( try_id <= *countp ) {
- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 )
+ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0)
return ok;
try_nr = str_nr_last_in_list(&ctl->oldsaved, id);
@@ -739,7 +767,7 @@
} else
try_id += add_id;
- if( (ok = pop3_gettopid( sock, try_id, id )) != 0 )
+ if ((ok = pop3_gettopid(sock, try_id, id, sizeof(id))) != 0)
return ok;
try_nr = str_nr_in_list(&ctl->oldsaved, id);
}
@@ -801,7 +829,7 @@
/*
* Newer, RFC-1725-conformant POP servers may not have the LAST command.
- * We work as hard as possible to hide this ugliness, but it makes
+ * We work as hard as possible to hide this ugliness, but it makes
* counting new messages intrinsically quadratic in the worst case.
*/
last = 0;
@@ -839,15 +867,15 @@
}
*newp = (*countp - last);
}
- else
- {
+ else
+ {
if (dofastuidl)
return(pop3_fastuidl( sock, ctl, *countp, newp));
/* grab the mailbox's UID list */
if ((ok = gen_transact(sock, "UIDL")) != 0)
{
/* don't worry, yet! do it the slow way */
- if((ok = pop3_slowuidl( sock, ctl, countp, newp))!=0)
+ if ((ok = pop3_slowuidl(sock, ctl, countp, newp)))
{
report(stderr, GT_("protocol error while fetching UIDLs\n"));
return(PS_ERROR);
@@ -855,27 +883,32 @@
}
else
{
- int num;
+ unsigned long unum;
*newp = 0;
- while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
+ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{
- if (DOTLINE(buf))
- break;
- else if (sscanf(buf, "%d %s", &num, id) == 2)
+ if (DOTLINE(buf))
+ break;
+
+ if (parseuid(buf, &unum, id, sizeof(id)) == PS_SUCCESS)
{
- struct idlist *old, *new;
+ struct idlist *old, *new;
new = save_str(&ctl->newsaved, id, UID_UNSEEN);
- new->val.status.num = num;
+ new->val.status.num = unum;
if ((old = str_in_list(&ctl->oldsaved, id, FALSE)))
{
flag mark = old->val.status.mark;
if (mark == UID_DELETED || mark == UID_EXPUNGED)
{
+ /* XXX FIXME: switch 3 occurrences from
+ * (int)unum or (unsigned int)unum to
+ * remove the cast and use %lu - not now
+ * though, time for new release */
if (outlevel >= O_VERBOSE)
- report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, num);
+ report(stderr, GT_("id=%s (num=%d) was deleted, but is still present!\n"), id, (int)unum);
/* just mark it as seen now! */
old->val.status.mark = mark = UID_SEEN;
}
@@ -884,25 +917,25 @@
{
(*newp)++;
if (outlevel >= O_DEBUG)
- report(stdout, GT_("%u is unseen\n"), num);
+ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum);
}
}
else
{
(*newp)++;
if (outlevel >= O_DEBUG)
- report(stdout, GT_("%u is unseen\n"), num);
+ report(stdout, GT_("%u is unseen\n"), (unsigned int)unum);
/* add it to oldsaved also! In case, we do not
* swap the lists (say, due to socket error),
* the same mail will not be downloaded again.
*/
old = save_str(&ctl->oldsaved, id, UID_UNSEEN);
- old->val.status.num = num;
+ old->val.status.num = unum;
}
}
- }
- }
- }
+ }
+ }
+ }
}
return(PS_SUCCESS);
@@ -986,7 +1019,7 @@
}
/* get the uidl first! */
- if (pop3_getuidl(sock, num, id) != PS_SUCCESS)
+ if (pop3_getuidl(sock, num, id, sizeof(id)) != PS_SUCCESS)
return(TRUE);
if ((new = str_in_list(&ctl->oldsaved, id, FALSE))) {
diff -Nur fetchmail-6.2.5/sink.c fetchmail-6.2.5.1/sink.c
--- fetchmail-6.2.5/sink.c 2003-10-11 00:06:36.000000000 +0200
+++ fetchmail-6.2.5.1/sink.c 2005-07-20 18:26:32.000000000 +0200
@@ -724,7 +724,7 @@
/* see the ap computation under the SMTP branch */
fprintf(sinkfp,
- "MAIL FROM: %s", (msg->return_path[0]) ? msg->return_path : user);
+ "MAIL FROM:%s", (msg->return_path[0]) ? msg->return_path : user);
if (ctl->pass8bits || (ctl->mimemsg & MSG_IS_8BIT))
fputs(" BODY=8BITMIME", sinkfp);
diff -Nur fetchmail-6.2.5/smtp.c fetchmail-6.2.5.1/smtp.c
--- fetchmail-6.2.5/smtp.c 2003-08-06 05:30:18.000000000 +0200
+++ fetchmail-6.2.5.1/smtp.c 2005-07-20 18:26:32.000000000 +0200
@@ -232,13 +232,13 @@
int ok;
char buf[MSGBUFSIZE];
- if (strchr(from, '<'))
+ if (from[0]=='<')
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
#else
sprintf(buf,
#endif /* HAVE_SNPRINTF */
- "MAIL FROM: %s", from);
+ "MAIL FROM:%s", from);
else
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof(buf),
diff -Nur fetchmail-6.2.5/strlcpy.c fetchmail-6.2.5.1/strlcpy.c
--- fetchmail-6.2.5/strlcpy.c 1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.2.5.1/strlcpy.c 2005-07-20 18:33:55.000000000 +0200
@@ -0,0 +1,58 @@
+/* $NetBSD: strlcpy.c,v 1.14 2003/10/27 00:12:42 lukem Exp $ */
+/* $OpenBSD: strlcpy.c,v 1.7 2003/04/12 21:56:39 millert Exp $ */
+
+/*
+ * Copyright (c) 1998 Todd C. Miller <Todd.Miller at courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <string.h>
+
+#if !HAVE_STRLCPY
+/*
+ * Copy src to string dst of size siz. At most siz-1 characters
+ * will be copied. Always NUL terminates (unless siz == 0).
+ * Returns strlen(src); if retval >= siz, truncation occurred.
+ */
+size_t
+strlcpy(dst, src, siz)
+ char *dst;
+ const char *src;
+ size_t siz;
+{
+ char *d = dst;
+ const char *s = src;
+ size_t n = siz;
+
+ /* Copy as many bytes as will fit */
+ if (n != 0 && --n != 0) {
+ do {
+ if ((*d++ = *s++) == 0)
+ break;
+ } while (--n != 0);
+ }
+
+ /* Not enough room in dst, add NUL and traverse rest of src */
+ if (n == 0) {
+ if (siz != 0)
+ *d = '\0'; /* NUL-terminate dst */
+ while (*s++)
+ ;
+ }
+
+ return(s - src - 1); /* count does not include NUL */
+}
+#endif
----- End forwarded message -----
--
Nico Golde - JAB: nion at jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
More information about the pkg-fetchmail-maint
mailing list