Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Aug 2012 21:27:54 +0200
From: Matthias Andree <matthias.andree@....de>
To: oss-security@...ts.openwall.com
Subject: CVE ID request for fetchmail segfault in NTLM protocol exchange

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please assign a CVE ID for the problem described below.  Note that the
text below is a *draft* security advisory that will change before being
officially released.


fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics:		fetchmail denial of service in NTLM protocol phase

Author:		Matthias Andree
Version:	draft
Announced:	2012-08-13
Type:		crash while reading from bad memory location
Impact:		fetchmail segfaults and aborts, stalling inbound mail
Danger:		low
Acknowledgment:	J. Porter Clark

CVE Name:	(TBD)
URL:		http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL:	http://www.fetchmail.info/

Affects:	- fetchmail releases 5.0.8 up to and including 6.3.21
		  when compiled with NTLM support enabled

Not affected:	- fetchmail releases compiled with NTLM support disabled
		- fetchmail releases 6.3.22 and newer

Corrected in:	2012-08-13 Git, among others, see commit
		3fbc7cd331602c76f882d1b507cd05c1d824ba8b

		2012-08-xx fetchmail 6.3.22 release tarball


0. Release history
==================

2012-08-13 0.1	draft


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
authentication request, but never checked if the received response was
NTLM protocol exchange, or a server-side error message.  Instead,
fetchmail tried to decode the error message as though it were
base64-encoded protocol exchange, and could then segfault depending of
buffer contents, while reading data from bad memory locations.


3. Solution
===========

Install fetchmail 6.3.22 or newer.

The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.

Distributors are encouraged to review the NEWS file and move forward to
6.3.22, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation.

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
interface incompatibly.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2012 by Matthias Andree, <matthias.andree@....de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2012-02
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlApVTQACgkQvmGDOQUufZUV9wCgxrs06ykXu52whi9dgFdWC7PR
6WsAoJAWCoIBQjUr6WSaFSvK6lEEevDa
=BCaJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.