Bug 1987766 (CVE-2021-36386)

Summary: CVE-2021-36386 fetchmail: DoS or information disclosure when logging long messages
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fetchmail 6.4.20 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in fetchmail. The flaw lies in how fetchmail when running in verbose mode using the -v flag tries to log long messages that are created from long headers. An attacker could potentially use this flaw to cause a Denial of Service attack or crash. The highest threat from this vulnerability is to data availability. This flaw was earlier identified by CVE-2008-2711 and fixed, however it recently got reintroduced due to a code refactoring issue. The current bug fix applies a different approach than the earlier one.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 20:15:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1987768, 2002698, 2005307    
Bug Blocks: 1987770    

Description Guilherme de Almeida Suckevicz 2021-07-29 16:15:37 UTC 
Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. 
The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration.  On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end.

References:
https://www.fetchmail.info/fetchmail-SA-2021-01.txt
https://www.openwall.com/lists/oss-security/2021/07/28/5
Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 16:15:52 UTC 
Created fetchmail tracking bugs for this issue:

Affects: fedora-all [bug 1987768]
Comment 5 errata-xmlrpc 2022-05-10 14:33:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1964 https://access.redhat.com/errata/RHSA-2022:1964
Comment 6 Product Security DevOps Team 2022-05-11 20:15:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36386