Bug 561839 (CVE-2010-0562)

Summary: CVE-2010-0562 fetchmail: (verbose mode) Heap overflow by formating byte string into its printable representation
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Ales Zelinka <azelinka>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: azelinka, kreilly, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2010/02/04/4
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 08:59:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 561841, 561848    
Bug Blocks:    

Description Jan Lieskovsky 2010-02-04 13:54:44 UTC 
Heap overflow flaw was found in the way Fetchmail used to 
convert certain byte strings into their printable representation,
when fetchmail was running in the verbose mode. A remote
attacker could use this flaw to cause a denial of service
(fetchmail crash) or, potentially, to execute arbitrary
code with the privileges of the user running fetchmail.

Upstream advisory (mentioning OSS security mailing post,
as upstream Fetchmail one doesn't seem to be working yet):

 [1] http://www.openwall.com/lists/oss-security/2010/02/04/4

Upstream patch (from [1]):

--- a/sdump.c
+++ b/sdump.c
@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
 	if (isprint((unsigned char)in[i])) {
 	    *(oi++) = in[i];
 	} else {
-	    oi += sprintf(oi, "\\x%02X", in[i]);
+	    oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
 	}
     }
     *oi = '\0';

(mentioned "r5467" SVN revision doesn't seem to be working for
 me yet).

References:
  http://www.fetchmail.info/fetchmail-SA-2010-01.txt
  http://www.fetchmail.info/
Comment 1 Jan Lieskovsky 2010-02-04 13:58:50 UTC 
This issue does NOT affect the versions of the fetchmail package,
as shipped with Red Hat Enteprise Linux 3, 4, and 5.

This issue does NOT affect the versions of the fetchmail package,
as shipped with Fedora release of 11 (fetchmail-6.3.9-5.fc11).

This issue affects the version of the fetchmail package,
as shipped with Fedora release of 12 (fetchmail-6.3.11-3.fc12).

Please fix.
Comment 4 Jan Lieskovsky 2010-02-09 09:21:06 UTC 
This is CVE-2010-0562.
Comment 5 Fedora Update System 2010-02-09 13:52:28 UTC 
fetchmail-6.3.11-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/fetchmail-6.3.11-4.fc12
Comment 6 Fedora Update System 2010-03-06 03:52:46 UTC 
fetchmail-6.3.11-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.