A buffer overflow was discovered in fetchmail's POP3 client. A malicious server could cause send a carefully crafted message UID and cause fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2335 to this issue. RHEL Errata: http://rhn.redhat.com/errata/RHSA-2005-640.html I believe this effects all Fedora Legacy dists: 7.3, 9, FC1, FC2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages based on patches from RHEL: 7.3: 82f296f430e2f8d1e5cf192c6f4271f8d56c9026 fetchmail-5.9.0-21.7.3.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-5.9.0-21.7.3.1.legacy.src.rpm 9: cb37f36200433c90dcad5fda769828d8bd6d48dd fetchmail-6.2.0-3.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.0-3.1.legacy.src.rpm FC1: 7467c97ff31d957365fe3d92aa677620f53b1d8d fetchmail-6.2.0-8.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.0-8.1.legacy.src.rpm FC2: c99f5338ec6f4fcf3df6f422b8cfa5452d58a13f fetchmail-6.2.5-2.1.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.5-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC6PfHKe7MLJjUbNMRAn3DAKDNiWWrsapffOBrMwsEXTZWjJpGiQCfbq1m /5avDZ7pju3ZxiFKDpa804Y= =VdaL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - spec file changes minimal - source integrity good - first three patches identical to RHEL3, FC2 identical to RHEL4 +PUBLISH RHL73, RHL9, FC1, FC2 82f296f430e2f8d1e5cf192c6f4271f8d56c9026 fetchmail-5.9.0-21.7.3.1.legacy.src.rpm cb37f36200433c90dcad5fda769828d8bd6d48dd fetchmail-6.2.0-3.1.legacy.src.rpm 7467c97ff31d957365fe3d92aa677620f53b1d8d fetchmail-6.2.0-8.1.legacy.src.rpm c99f5338ec6f4fcf3df6f422b8cfa5452d58a13f fetchmail-6.2.5-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC6xXtGHbTkzxSL7QRAtbgAJ9loWLU8MYT+/JbmuppKO3jKOYnnwCgt4Oo 21KOrSEwvVS0D3TlgGTZ49w= =mPg4 -----END PGP SIGNATURE-----
There seem to be a couple of security patches that were in the fc1 version that never got added to rh9 (and maybe rh73). Someone needs to look into this and make some new packages. * Fri Oct 10 2003 Nalin Dahyabhai <nalin> 6.2.0-8 - add patch to not truncate headers which have been munged to include a hostname where one didn't exist before (CAN-2003-0792), backport from fix for 6.2.4 included in 6.2.5 * Thu Oct 9 2003 Nalin Dahyabhai <nalin> - add patch from Markus Friedl to fix possible buffer underrun (CAN-2003-0790)
Is this the same vulnerability? The CAN number doesn't match but that could be a typo. 05.30.16 CVE: CAN-2005-2355 Platform: Unix Title: Fetchmail POP3 Client Buffer Overflow Description: Fetchmail is a mail retrieval utility. Its POP3 client is prone to a buffer overflow issue due to a failure of the application to perform boundary checks prior to copying server-supplied data into process buffers. Fetchmail version 1.02 is affected. Ref: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
CVE 2355 states: Description ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CAN-2005-2335, CAN-2005-2356. Reason: due to a typo in an advisory, this candidate was accidentally referenced. Notes: All CVE users should consult CAN-2005-2335 and CAN-2005-2356 to determine the appropriate identifier for the issue. The fetchmail site describes the vulnerability as CAN-2005-2335. So, these are the same thing.
Ok, I picked an easy one for my first patch make. Please, double check and lemme know if I got it wrong anywhere. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for rh 7.3 and rh 9 that include the CVE-2003-0792 patch from FC1. 7.3: f7441aed8d0c27b9377c4b49d142b7dfed09ee7f http://lance.maner.org/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm 9: d5906d7206a9f40e26598e525c1d21c654ee8fc7 http://lance.maner.org/fetchmail-6.2.0-3.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEE2w6pxMPKJzn2lIRAixfAKCjEVtHByr/+c+1nf5WPP227qkmsQCfeot+ L2pRHgvfa9TKXtTEI/EtDhI= =5u70 -----END PGP SIGNATURE-----
By the way, I wonder if any of the following apply to us? CVE-2006-0321 fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. CVE-2005-4348 fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. CVE-2005-3088 fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2 creates configuration files with insecure world-readable permissions, which allows local users to obtain sensitive information such as passwords.
CVE-2006-0321 doesn't apply. The calls to free(from_responses) are not in sink.c on rh9, fc1, or fc2 versions. CVE-2005-4348: I pulled a patch out of the difference between fetchmail-6.2.5.4 and fetchmail-6.2.5.5. Changes were to transact.c, and they applied cleanly to fc2 version. Also backported to fc1. CVE-2005-3088: Pulled patch from RHAS 2.1 for rh73, and ported it to 6.2.0 for applying to rh9, fc1 and fc2. Updated packages below: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Updated packages with the rest of the patches: 7.3: ff01a9c71dc6ad873970c2e1ff0bc44d032c5ff7 http://lance.maner.org/fetchmail-5.9.0-21.7.3.src.rpm 9: 432fc7bd4baa9810d0dbba857f853d90cbe3b228 http://lance.maner.org/fetchmail-6.2.0-3.3.legacy.src.rpm fc1: 8b755fe4a36099207bdf964f0097eb00bc8bba75 http://lance.maner.org/fetchmail-6.2.0-8.2.legacy.src.rpm fc2: cfcd86928842df29a61f21cef3bfd705a94e610e http://lance.maner.org/fetchmail-6.2.5-2.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEFKpCpxMPKJzn2lIRAm3UAJ49sc/d6cSfI+cgPLAPe/iNuS1k3QCglmbO PL398rnzmAXsOY0gh8nYrSA= =foUT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come from RHEL or newer FC releases and/or by manual diffing. Note: Don's RHL73 URL didn't work, but I think I found the right package version.. +PUBLISH RHL73, RHL9, FC1, FC2 ff01a9c71dc6ad873970c2e1ff0bc44d032c5ff7 fetchmail-5.9.0-21.7.3.2.legacy.src.rpm 432fc7bd4baa9810d0dbba857f853d90cbe3b228 fetchmail-6.2.0-3.3.legacy.src.rpm 8b755fe4a36099207bdf964f0097eb00bc8bba75 fetchmail-6.2.0-8.2.legacy.src.rpm cfcd86928842df29a61f21cef3bfd705a94e610e fetchmail-6.2.5-2.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEFQ87GHbTkzxSL7QRAqSEAKDJvqsULT/HnjyuwoQvkBGCOHBSygCeLb27 MLQE7WrMEnigB0e24NhmAkg= =d5Is -----END PGP SIGNATURE-----
Indeed, thanks. The link in my first post is correct, and the sha1sum in the 2nd is correct.
I'm having trouble building this with plague. The rh9 package keeps pulling in libcom_err.so.3 instead of libcom_err.so.2. Anyone have any ideas?
never mind...nailed it
Glad you found it, Marc. Didn't realize it would be as simple as a build-requires... :)
Packages were pushed to updates-testing
Timeout over.
Packages were released to updates.