Hi, I'd like to upload an update for fetchmail for both oldstable and stable. The oldstable update fixes to minor security issues which are unfixed in etch and the stable update fixes some annoyances with the init script (mostly complaining about a missing config file even if fetchmail wasn't enabled via /etc/default/fetchmail). debdiffs attached, please let me know if I can upload this. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u fetchmail-6.3.6/debian/changelog fetchmail-6.3.6/debian/changelog
--- fetchmail-6.3.6/debian/changelog
+++ fetchmail-6.3.6/debian/changelog
@@ -1,3 +1,15 @@
+fetchmail (6.3.6-1etch3) oldstable; urgency=low
+
+ * Fix CVE-2008-2711: possible denial of service vulnerability if used
+ with -vv when parsing large data blobs because of an uninitialized
+ argument pointer.
+ * Make the APOP challenge parser more distrustful and have it reject
+ challenges that do not conform to RFC-822 msg-id format, in the hope to
+ make mounting man-in-the-middle attacks (MITM) against APOP a bit more
+ difficult (CVE-2007-1558).
+
+ -- Nico Golde <nion@debian.org> Mon, 31 Aug 2009 19:02:34 +0000
+
fetchmail (6.3.6-1etch2) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- fetchmail-6.3.6.orig/report.c
+++ fetchmail-6.3.6/report.c
@@ -238,12 +238,13 @@
rep_ensuresize();
#if defined(VA_START)
- VA_START (args, message);
for ( ; ; )
{
+ VA_START (args, message);
n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
message, args);
+ va_end (args);
if (n >= 0
&& (unsigned)n < partial_message_size - partial_message_size_used)
{
@@ -254,7 +255,6 @@
partial_message_size += 2048;
partial_message = REALLOC (partial_message, partial_message_size);
}
- va_end (args);
#else
for ( ; ; )
{
@@ -304,13 +304,14 @@
rep_ensuresize();
#if defined(VA_START)
- VA_START (args, message);
for ( ; ; )
{
+ VA_START (args, message);
n = vsnprintf (partial_message + partial_message_size_used,
partial_message_size - partial_message_size_used,
message, args);
+ va_end (args);
/* old glibc versions return -1 for truncation */
if (n >= 0
&& (unsigned)n < partial_message_size - partial_message_size_used)
@@ -322,7 +323,6 @@
partial_message_size += 2048;
partial_message = REALLOC (partial_message, partial_message_size);
}
- va_end (args);
#else
for ( ; ; )
{
only in patch2:
unchanged:
--- fetchmail-6.3.6.orig/pop3.c
+++ fetchmail-6.3.6/pop3.c
@@ -297,6 +297,129 @@
peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl);
}
+/* CHAR except specials, SPACE, CTLs */
+static const char *atomchar = "!#$%&'*+-/0123456789=?ABCDEFGHIJKLMNOPQRSTUVWXYZ^_`abcdefghijklmnopqrstuvwxyz{|}~";
+
+static int quotedpair(unsigned char const **x) {
+ if (**x != '\\') return 0;
+ ++ *x;
+ if ((int)* *x > 127 || * *x == '\0')
+ /* XXX FIXME: 0 is a legal CHAR, so the == '\0' is sort of bogus
+ * above, but fetchmail does not currently deal with NUL inputs
+ * so we don't need to make the distinction between
+ * end-of-string and quoted NUL. */
+ return 0;
+ ++ *x;
+ return 1;
+}
+
+
+static int quotedstring(unsigned char const **x) {
+ if (* *x != '"') return 0;
+ ++ *x;
+ for(;;) {
+ switch (* *x) {
+ case '"':
+ ++ *x;
+ return 1;
+ case '\\':
+ if (quotedpair(x) == 0) return 0;
+ continue;
+ case '\r':
+ case '\0':
+ return 0;
+ }
+ if ((int)* *x >= 128) {
+ return 0;
+ }
+ ++ *x;
+ }
+}
+
+static int atom(unsigned char const **x) {
+ /* atom */
+ if (strchr(atomchar, (const char)**x)) {
+ *x += strspn((const char *)*x, atomchar);
+ return 1;
+ }
+ /* invalid character */
+ return 0;
+}
+
+
+static int domain_literal(unsigned char const **x) {
+ if (**x != '[') return 0;
+ ++ *x;
+ for(;;) {
+ switch (* *x) {
+ case '\0':
+ case '\r':
+ case '[':
+ return 0;
+ case ']':
+ ++ *x;
+ return 1;
+ case '\\':
+ if (quotedpair(x) == 0) return 0;
+ continue;
+ }
+ if ((int)* *x > 127) return 0;
+ ++ *x;
+ }
+}
+
+
+static int word(unsigned char const **x) {
+ if (**x == '"')
+ return quotedstring(x);
+ return atom(x);
+}
+
+static int subdomain(unsigned char const **x) {
+ if (* *x == '[') return domain_literal(x);
+ return atom(x);
+}
+
+static int rfc822_valid_msgid(const unsigned char *x) {
+ /* expect "<" */
+ if (*x != '<') return 0;
+ ++ x;
+
+ /* expect local-part = word *("." word)
+ * where
+ * word = atom/quoted-string
+ * atom = 1*ATOMCHAR
+ * quoted-string = <"> *(qtext/quoted-pair) <">
+ * qtext = CHAR except ", \, CR
+ * quoted-pair = "\" CHAR
+ */
+ for(;;) {
+ if (word(&x) == 0) return 0;
+ if (*x == '.') { ++x; continue; }
+ if (*x == '@') break;
+ return 0;
+ }
+
+ /* expect "@" */
+ if (*x != '@') return 0;
+ ++ x;
+
+ /* expect domain = sub-domain *("." sub-domain)
+ * sub-domain = domain-ref/domain-literal
+ * domain-ref = atom
+ * domain-literal = "[" *(dtext/quoted-pair) "]" */
+ for(;;) {
+ if (subdomain(&x) == 0) return 0;
+ if (*x == '.') { ++x; continue; }
+ if (*x == '>') break;
+ return 0;
+ }
+
+ if (*x != '>') return 0;
+ return 1;
+}
+
+
static int pop3_getauth(int sock, struct query *ctl, char *greeting)
/* apply for connection authorization */
{
@@ -656,6 +779,20 @@
else
*++end = '\0';
+ /* SECURITY: 2007-03-17
+ * Strictly validating the presented challenge for RFC-822
+ * conformity (it must be a msg-id in terms of that standard) is
+ * supposed to make attacks against the MD5 implementation
+ * harder[1]
+ *
+ * [1] "Security vulnerability in APOP authentication",
+ * Gaëtan Leurent, fetchmail-devel, 2007-03-17 */
+ if (!rfc822_valid_msgid((unsigned char *)start)) {
+ report(stderr,
+ GT_("Invalid APOP timestamp.\n"));
+ return PS_AUTHFAIL;
+ }
+
/* copy timestamp and password into digestion buffer */
msg = xmalloc((end-start+1) + strlen(ctl->password) + 1);
strcpy(msg,start);
only in patch2:
unchanged:
--- fetchmail-6.3.6.orig/fetchmail.man
+++ fetchmail-6.3.6/fetchmail.man
@@ -237,6 +237,7 @@
Post Office Protocol 3
.IP APOP
Use POP3 with old-fashioned MD5-challenge authentication.
+Considered not resistant to man-in-the-middle attacks.
.IP RPOP
Use POP3 with RPOP authentication.
.IP KPOP
@@ -952,15 +953,15 @@
facility was vulnerable to spoofing and was withdrawn in RFC1460.
.PP
RFC1460 introduced APOP authentication. In this variant of POP3,
-you register an APOP password on your server host (the program
-to do this with on the server is probably called \fIpopauth\fR(8)). You
-put the same password in your
-.I ~/.fetchmailrc
-file. Each time
-.I fetchmail
-logs in, it sends a cryptographically secure hash of your password and
-the server greeting time to the server, which can verify it by
-checking its authorization database.
+you register an APOP password on your server host (on some servers, the
+program to do this is called \fIpopauth\fR(8)). You put the same
+password in your \fI~/.fetchmailrc\fP file. Each time \fIfetchmail\fP
+logs in, it sends an MD5 hash of your password and the server greeting
+time to the server, which can verify it by checking its authorization
+database.
+
+\fBNote that APOP is no longer considered resistant against
+man-in-the-middle attacks.\fP
.SS RETR or TOP
.I fetchmail
makes some efforts to make the server believe messages had not been
diff -u fetchmail-6.3.9~rc2/debian/init fetchmail-6.3.9~rc2/debian/init
--- fetchmail-6.3.9~rc2/debian/init
+++ fetchmail-6.3.9~rc2/debian/init
@@ -5,7 +5,7 @@
#
### BEGIN INIT INFO
# Provides: fetchmail
-# Required-Start: $network $local_fs $remote_fs
+# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
@@ -30,13 +30,13 @@
CONFFILE="/etc/fetchmailrc"
PIDFILE="/var/run/fetchmail/fetchmail.pid"
UIDL="/var/lib/fetchmail/.fetchmail-UIDL-cache"
+START_DAEMON="no"
-if [ ! -e $CONFFILE ]; then
- exit 0
-fi
+. /lib/lsb/init-functions
-test -f /etc/default/fetchmail || exit 0
-. /etc/default/fetchmail
+if [ -r /etc/default/fetchmail ]; then
+ . /etc/default/fetchmail
+fi
OPTIONS="$OPTIONS -f $CONFFILE --pidfile $PIDFILE"
@@ -45,14 +45,18 @@
exit 0
fi
-test -f $DAEMON || exit 0
+if [ ! -e $CONFFILE ]; then
+ log_failure_msg "$CONFFILE not found."
+ log_failure_msg "can not start fetchmail daemon... consider disabling the script"
+ exit 0
+fi
-. /lib/lsb/init-functions
+
+test -f $DAEMON || exit 0
if [ "$1" = "start" ]; then
if [ ! -r $CONFFILE ] ; then
- log_failure_msg "$CONFFILE not found."
- log_failure_msg "can not start fetchmail daemon... consider disabling the script"
+ log_failure_msg "$CONFFILE found but not readable."
exit 0
fi
fi
diff -u fetchmail-6.3.9~rc2/debian/changelog fetchmail-6.3.9~rc2/debian/changelog
--- fetchmail-6.3.9~rc2/debian/changelog
+++ fetchmail-6.3.9~rc2/debian/changelog
@@ -1,3 +1,12 @@
+fetchmail (6.3.9~rc2-4+lenny2) stable; urgency=low
+
+ * Do not complain about missing config file when daemon shouldn't
+ start at all (Closes: #540533).
+ * Depend on $syslog in init script (Closes: #541394).
+ * Fix some inconsistencies in init script.
+
+ -- Nico Golde <nion@debian.org> Mon, 31 Aug 2009 18:53:14 +0000
+
fetchmail (6.3.9~rc2-4+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
Attachment:
pgpoa5o05yw85.pgp
Description: PGP signature