1987766 – (CVE-2021-36386) CVE-2021-36386 fetchmail: DoS or information disclosure when logging long messages

Bug 1987766 (CVE-2021-36386) - CVE-2021-36386 fetchmail: DoS or information disclosure when logging long messages

Summary: CVE-2021-36386 fetchmail: DoS or information disclosure when logging long mes...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-36386
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1987768 2002698 2005307
Blocks:	1987770
TreeView+	depends on / blocked

Reported:	2021-07-29 16:15 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-05-17 10:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	fetchmail 6.4.20
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in fetchmail. The flaw lies in how fetchmail when running in verbose mode using the -v flag tries to log long messages that are created from long headers. An attacker could potentially use this flaw to cause a Denial of Service attack or crash. The highest threat from this vulnerability is to data availability. This flaw was earlier identified by CVE-2008-2711 and fixed, however it recently got reintroduced due to a code refactoring issue. The current bug fix applies a different approach than the earlier one.
Clone Of:
Environment:
Last Closed:	2022-05-11 20:15:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:1964	0	None	None	None	2022-05-10 14:33:17 UTC

Description Guilherme de Almeida Suckevicz 2021-07-29 16:15:37 UTC

Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. 
The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration.  On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end.

References:
https://www.fetchmail.info/fetchmail-SA-2021-01.txt
https://www.openwall.com/lists/oss-security/2021/07/28/5

Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 16:15:52 UTC

Created fetchmail tracking bugs for this issue:

Affects: fedora-all [bug 1987768]

Comment 5 errata-xmlrpc 2022-05-10 14:33:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1964 https://access.redhat.com/errata/RHSA-2022:1964

Comment 6 Product Security DevOps Team 2022-05-11 20:15:56 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36386

Note You need to log in before you can comment on or make changes to this bug.