-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2010.0119.2
              Heap overrun in verbose SSL cert' info display
                              9 February 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           fetchmail
Publisher:         fetchmail
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-0562  

Original Bulletin: 
   http://www.fetchmail.info/fetchmail-SA-2010-01.txt

Revision History:  February 9 2010: Added CVE reference
                   February 8 2010: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2010-01: Heap overrun in verbose SSL cert' info display.

Topics:		Heap overrun in verbose SSL certificate information display.

Author:		Matthias Andree
Version:	1.0
Announced:
Type:		malloc() Buffer overrun with printable characters
Impact:		Code injection (difficult).
Danger:		low

CVE Name:	to be assigned via oss-security@ list
URL:		http://www.fetchmail.info/fetchmail-SA-2010-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail releases 6.3.11, 6.3.12, and 6.3.13

Not affected:	fetchmail release 6.3.14 and newer

Corrected:	2010-02-04 fetchmail SVN (r5467)
		2010-02-05 fetchmail release 6.3.14


0. Release history
==================

2010-02-04 0.1	first draft (visible in SVN and through oss-security)
2010-02-05 1.0	fixed signed/unsigned typo (found by Nico Golde)


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.


2. Problem description and Impact
=================================

In verbose mode, fetchmail prints X.509 certificate subject and issuer
information to the user, and counts and allocates a malloc() buffer for
that purpose.

If the material to be displayed contains characters with high bit set
and the platform treats the "char" type as signed, this can cause a heap
buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.

This might be exploitable to inject code if
- - - fetchmail is run in verbose mode
AND
- - - the host running fetchmail considers char signed
AND
- - - the server uses malicious certificates with non-printing characters
  that have the high bit set
AND
- - - these certificates manage to inject shell-code that consists purely of
  printable characters.

It is believed to be difficult to achieve all this.


3. Solution
===========

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
   fetchmail 6.3.13, recompile and reinstall it.

b. Install fetchmail 6.3.14 or newer after it will have become available.
   The fetchmail source code is always available from
   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.


4. Workaround
=============

Run fetchmail without and verbose options.


A. Copyright, License and Warranty
==================================

(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to

Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.


B. Patch to remedy the problem
==============================

Note that when taking this from a GnuPG clearsigned file, the lines
starting with a "-" character are prefixed by another "- " (dash +
blank) combination. Either feed this file through GnuPG to strip them,
or strip them manually. You may want to use the "-p1" flag to patch.

Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.

- - --- a/sdump.c
+++ b/sdump.c
@@ -36,7 +36,7 @@ char *sdump(const char *in, size_t len)
 	if (isprint((unsigned char)in[i])) {
 	    *(oi++) = in[i];
 	} else {
- - -	    oi += sprintf(oi, "\\x%02X", in[i]);
+	    oi += sprintf(oi, "\\x%02X", (unsigned char)in[i]);
 	}
     }
     *oi = '\0';

END OF fetchmail-SA-2010-01.txt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAktrbs0ACgkQvmGDOQUufZWzMQCg49F/WJiOjGwWZKHHzBcfTgx/
sLIAmQHPO3mezy3Ku0O29b4AXHL2ZQNb
=kF7s
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLcOJL/iFOrG6YcBERAs68AKCTfr+W6VbnuEHx2N1huP7V/ikoLQCgzXe2
tb4b0R18XwK40TuaPARN9nc=
=y80r
-----END PGP SIGNATURE-----