This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 164512 - multiple fetchmail vulnerabilities - CAN-2003-0792,CAN-2005-2335,3088,4348
multiple fetchmail vulnerabilities - CAN-2003-0792,CAN-2005-2335,3088,4348
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: fetchmail (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh9, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-28 10:01 EDT by Jeff Sheltren
Modified: 2007-04-18 13:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-12 20:52:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-07-28 10:01:30 EDT
A buffer overflow was discovered in fetchmail's POP3 client. A malicious
server could cause send a carefully crafted message UID and cause fetchmail
to crash or potentially execute arbitrary code as the user running
fetchmail. The Common Vulnerabilities and Exposures project assigned the
name CAN-2005-2335 to this issue.

RHEL Errata: http://rhn.redhat.com/errata/RHSA-2005-640.html

I believe this effects all Fedora Legacy dists: 7.3, 9, FC1, FC2
Comment 1 Jeff Sheltren 2005-07-28 11:22:10 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages based on patches from RHEL:

7.3:
82f296f430e2f8d1e5cf192c6f4271f8d56c9026  fetchmail-5.9.0-21.7.3.1.legacy.src.rpm
http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-5.9.0-21.7.3.1.legacy.src.rpm

9:
cb37f36200433c90dcad5fda769828d8bd6d48dd  fetchmail-6.2.0-3.1.legacy.src.rpm
http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.0-3.1.legacy.src.rpm

FC1:
7467c97ff31d957365fe3d92aa677620f53b1d8d  fetchmail-6.2.0-8.1.legacy.src.rpm
http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.0-8.1.legacy.src.rpm

FC2:
c99f5338ec6f4fcf3df6f422b8cfa5452d58a13f  fetchmail-6.2.5-2.1.legacy.src.rpm
http://www.cs.ucsb.edu/~jeff/legacy/fetchmail-6.2.5-2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC6PfHKe7MLJjUbNMRAn3DAKDNiWWrsapffOBrMwsEXTZWjJpGiQCfbq1m
/5avDZ7pju3ZxiFKDpa804Y=
=VdaL
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-07-30 01:54:02 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - first three patches identical to RHEL3, FC2 identical to RHEL4

+PUBLISH RHL73, RHL9, FC1, FC2

82f296f430e2f8d1e5cf192c6f4271f8d56c9026  fetchmail-5.9.0-21.7.3.1.legacy.src.rpm
cb37f36200433c90dcad5fda769828d8bd6d48dd  fetchmail-6.2.0-3.1.legacy.src.rpm
7467c97ff31d957365fe3d92aa677620f53b1d8d  fetchmail-6.2.0-8.1.legacy.src.rpm
c99f5338ec6f4fcf3df6f422b8cfa5452d58a13f  fetchmail-6.2.5-2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC6xXtGHbTkzxSL7QRAtbgAJ9loWLU8MYT+/JbmuppKO3jKOYnnwCgt4Oo
21KOrSEwvVS0D3TlgGTZ49w=
=mPg4
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2005-08-06 18:10:58 EDT
There seem to be a couple of security patches that were in the fc1 version that
never got added to rh9 (and maybe rh73). Someone needs to look into this and
make some new packages.

* Fri Oct 10 2003 Nalin Dahyabhai <nalin@redhat.com> 6.2.0-8
- add patch to not truncate headers which have been munged to include a
  hostname where one didn't exist before (CAN-2003-0792), backport from fix
  for 6.2.4 included in 6.2.5

* Thu Oct  9 2003 Nalin Dahyabhai <nalin@redhat.com>
- add patch from Markus Friedl to fix possible buffer underrun (CAN-2003-0790)

Comment 4 John Dalbec 2005-09-01 08:36:49 EDT
Is this the same vulnerability?  The CAN number doesn't match but that could be
a typo.

05.30.16 CVE: CAN-2005-2355
Platform: Unix
Title: Fetchmail POP3 Client Buffer Overflow
Description: Fetchmail is a mail retrieval utility. Its POP3 client is
prone to a buffer overflow issue due to a failure of the application
to perform boundary checks prior to copying server-supplied data into
process buffers. Fetchmail version 1.02 is affected.
Ref: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt 
Comment 5 Pekka Savola 2005-09-02 13:29:47 EDT
CVE 2355 states:

Description 	** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:
CAN-2005-2335, CAN-2005-2356. Reason: due to a typo in an advisory, this
candidate was accidentally referenced. Notes: All CVE users should consult
CAN-2005-2335 and CAN-2005-2356 to determine the appropriate identifier for the
issue.

The fetchmail site describes the vulnerability as CAN-2005-2335.

So, these are the same thing.
Comment 6 Donald Maner 2006-03-11 19:27:52 EST
Ok, I picked an easy one for my first patch make.  Please, double check and
lemme know if I got it wrong anywhere.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh 7.3 and rh 9 that include the CVE-2003-0792
patch from FC1.

7.3:
f7441aed8d0c27b9377c4b49d142b7dfed09ee7f
http://lance.maner.org/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm

9:
d5906d7206a9f40e26598e525c1d21c654ee8fc7
http://lance.maner.org/fetchmail-6.2.0-3.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEE2w6pxMPKJzn2lIRAixfAKCjEVtHByr/+c+1nf5WPP227qkmsQCfeot+
L2pRHgvfa9TKXtTEI/EtDhI=
=5u70
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2006-03-12 01:42:54 EST
By the way, I wonder if any of the following apply to us?

CVE-2006-0321 	fetchmail 6.3.0 and other versions before 6.3.2 allows remote
attackers to cause a denial of service (crash) via crafted e-mail messages that
cause a free of an invalid pointer when fetchmail bounces the message to the
originator or local postmaster.

CVE-2005-4348 	fetchmail before 6.3.1 and before 6.2.5.5, when configured for
multidrop mode, allows remote attackers to cause a denial of service
(application crash) by sending messages without headers from upstream mail servers.

CVE-2005-3088 	fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2
creates configuration files with insecure world-readable permissions, which
allows local users to obtain sensitive information such as passwords.
Comment 8 Donald Maner 2006-03-12 18:05:07 EST
CVE-2006-0321 doesn't apply.  The calls to free(from_responses) are not in
sink.c on rh9, fc1, or fc2 versions.

CVE-2005-4348: I pulled a patch out of the difference between fetchmail-6.2.5.4
and fetchmail-6.2.5.5.  Changes were to transact.c, and they applied cleanly to
fc2 version.  Also backported to fc1.

CVE-2005-3088: Pulled patch from RHAS 2.1 for rh73, and ported it to 6.2.0 for
applying to rh9, fc1 and fc2.

Updated packages below:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated packages with the rest of the patches:

7.3:
ff01a9c71dc6ad873970c2e1ff0bc44d032c5ff7
http://lance.maner.org/fetchmail-5.9.0-21.7.3.src.rpm

9:
432fc7bd4baa9810d0dbba857f853d90cbe3b228
http://lance.maner.org/fetchmail-6.2.0-3.3.legacy.src.rpm

fc1:
8b755fe4a36099207bdf964f0097eb00bc8bba75
http://lance.maner.org/fetchmail-6.2.0-8.2.legacy.src.rpm

fc2:
cfcd86928842df29a61f21cef3bfd705a94e610e
http://lance.maner.org/fetchmail-6.2.5-2.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEFKpCpxMPKJzn2lIRAm3UAJ49sc/d6cSfI+cgPLAPe/iNuS1k3QCglmbO
PL398rnzmAXsOY0gh8nYrSA=
=foUT
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-03-13 01:17:05 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL or newer FC releases and/or
   by manual diffing.
 
Note: Don's RHL73 URL didn't work, but I think I found the right package
version..
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
ff01a9c71dc6ad873970c2e1ff0bc44d032c5ff7  fetchmail-5.9.0-21.7.3.2.legacy.src.rpm
432fc7bd4baa9810d0dbba857f853d90cbe3b228  fetchmail-6.2.0-3.3.legacy.src.rpm
8b755fe4a36099207bdf964f0097eb00bc8bba75  fetchmail-6.2.0-8.2.legacy.src.rpm
cfcd86928842df29a61f21cef3bfd705a94e610e  fetchmail-6.2.5-2.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEFQ87GHbTkzxSL7QRAqSEAKDJvqsULT/HnjyuwoQvkBGCOHBSygCeLb27
MLQE7WrMEnigB0e24NhmAkg=
=d5Is
-----END PGP SIGNATURE-----
Comment 10 Donald Maner 2006-03-13 02:30:48 EST
Indeed, thanks.  The link in my first post is correct, and the sha1sum in the
2nd is correct.
Comment 11 Marc Deslauriers 2006-03-23 19:59:09 EST
I'm having trouble building this with plague. The rh9 package keeps pulling in
libcom_err.so.3 instead of libcom_err.so.2.

Anyone have any ideas?
Comment 12 Marc Deslauriers 2006-03-23 20:47:32 EST
never mind...nailed it
Comment 13 David Eisenstein 2006-03-23 21:14:00 EST
Glad you found it, Marc.  Didn't realize it would be as simple as a
build-requires...  :)
Comment 14 Marc Deslauriers 2006-03-28 19:33:13 EST
Packages were pushed to updates-testing
Comment 15 Pekka Savola 2006-04-17 12:29:53 EDT
Timeout over.
Comment 16 Marc Deslauriers 2006-05-12 20:52:18 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.