Date: Mon, 13 Aug 2012 17:55:12 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Matthias Andree <matthias.andree@....de> Subject: Re: CVE ID request for fetchmail segfault in NTLM protocol exchange -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2012 01:27 PM, Matthias Andree wrote: > Please assign a CVE ID for the problem described below. Note that > the text below is a *draft* security advisory that will change > before being officially released. > > > fetchmail-SA-2012-02: DoS possible with NTLM authentication in > debug mode > > Topics: fetchmail denial of service in NTLM protocol phase > > Author: Matthias Andree Version: draft Announced: 2012-08-13 Type: > crash while reading from bad memory location Impact: fetchmail > segfaults and aborts, stalling inbound mail Danger: low > Acknowledgment: J. Porter Clark > > CVE Name: (TBD) URL: > http://www.fetchmail.info/fetchmail-SA-2012-02.txt Project URL: > http://www.fetchmail.info/ > > Affects: - fetchmail releases 5.0.8 up to and including 6.3.21 when > compiled with NTLM support enabled > > Not affected: - fetchmail releases compiled with NTLM support > disabled - fetchmail releases 6.3.22 and newer > > Corrected in: 2012-08-13 Git, among others, see commit > 3fbc7cd331602c76f882d1b507cd05c1d824ba8b > > 2012-08-xx fetchmail 6.3.22 release tarball > > > 0. Release history ================== > > 2012-08-13 0.1 draft > > > 1. Background ============= > > fetchmail is a software package to retrieve mail from remote POP3, > IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP > servers or message delivery agents. fetchmail supports SSL and TLS > security layers through the OpenSSL library, if enabled at compile > time and if also enabled at run time, in both SSL/TLS-wrapped mode > on dedicated ports as well as in-band-negotiated "STARTTLS" and > "STLS" modes through the regular protocol ports. > > > 2. Problem description and Impact > ================================= > > Fetchmail version 5.0.8 added NTLM support. This code sent the > NTLM authentication request, but never checked if the received > response was NTLM protocol exchange, or a server-side error > message. Instead, fetchmail tried to decode the error message as > though it were base64-encoded protocol exchange, and could then > segfault depending of buffer contents, while reading data from bad > memory locations. > > > 3. Solution =========== > > Install fetchmail 6.3.22 or newer. > > The fetchmail source code is always available from > <http://developer.berlios.de/project/showfiles.php?group_id=1824>. > > Distributors are encouraged to review the NEWS file and move > forward to 6.3.22, rather than backport individual security fixes, > because doing so routinely misses other fixes crucial to > fetchmail's proper operation, for which no security announcements > are issued, or documentation. > > Fetchmail 6.3.X releases have always been made with a focus on > unchanged user and program interfaces so as to avoid disruptions > when upgrading from 6.3.X to 6.3.Y with Y > X. Care was taken to > not change the interface incompatibly. > > > A. Copyright, License and Non-Warranty > ====================================== > > (C) Copyright 2012 by Matthias Andree, <matthias.andree@....de>. > Some rights reserved. > > This work is licensed under the Creative Commons > Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). > > To view a copy of this license, visit > http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a > letter to: > > Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, > CALIFORNIA 94041 USA > > > THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. > Use the information herein at your own risk. > > END of fetchmail-SA-2012-02 Please use CVE-2012-3482 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQKZPfAAoJEBYNRVNeJnmT5gQP/0vOSkcZGjtayB8ubwNKgJpx 5zBxNAVsk3WJvG9z+42PNOOxify+SEI6dXD87sxcpOsA6qExgmhjbgEUiiWpTI4X Jxe93z5nan2BbNbSMBycU1y5AO5w/XsRRpClU7Va1x2GcqPfpIekJz9h48EiPI2V BYap2pyXKBpY8/z1gIBAj7pFw24wLaTdUdssD0UFjKgOq2MwlPD4jj6gNtfkNcSd 8M97WIU0s1rLfv6kdDP4khTYBRh3Bjq9GzjI1Qh1zAZLU0JV3vcSa1XZ2VWIM3na U0v08T2/EQee0KPBRGc79wSuW507mVMuQUD6ZMIaEj14eMOfo6QyEEMuyTGj2iPD fl5tAVU9cFYgh9xOZZ8JSwxJd4JL1vpbksH5KspTmqIs6YHXyQd3u0pfEP/c/1gJ UzqqSVTJBKKmp3PUZnwrIxnJI2PADfd30MJQ6pRK16X/6GCngWidreBNbusMM9Un 1qGixzWnKmBgriUYF31CqONwCmBFO9QTcxDu/ovVQtnE3C+WHuQ7bV99PYjtw+Y0 wcoNgnsX/qChDg4MAW4ffAFOCxkv76fy52CteHNTlOM2JD23kCAMZHejl3qz+GH7 WFODY+3DxrvXODa1C6ZVMkqDXEDvVYJRbsPriIzXMt2/GABktqU8yNMpgVyYuXN5 2CVVyoIbsKp1fNR6ebzk =wC4W -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.