fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Bug #1036509 reported by Karma Dorje
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Low
fetchmail (Fedora)
Confirmed
Low
fetchmail (Ubuntu)
Fix Released
Low
Unassigned
Precise
Won't Fix
Low
Unassigned

Bug Description

fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics: fetchmail denial of service in NTLM protocol phase

Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: crash while reading from bad memory location
Impact: fetchmail segfaults and aborts, stalling inbound mail
Danger: low
Acknowledgment: J. Porter Clark

CVE Name: CVE-2012-3482
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/

Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected: - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in: 2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

CVE References

Revision history for this message
In , J-ago (j-ago) wrote :

From oss-security:

etchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics: fetchmail denial of service in NTLM protocol phase

Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: crash while reading from bad memory location
Impact: fetchmail segfaults and aborts, stalling inbound mail
Danger: low
Acknowledgment: J. Porter Clark

CVE Name: (TBD)
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/

Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected: - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in: 2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash.

Upstream patches:
[1] http://gitorious.org/fetchmail/fetchmail/commit/3fbc7cd331602c76f882d1b507cd05c1d824ba8b
[1a] https://gitorious.org/fetchmail/fetchmail/commit/c189f6a54f36f5b6f7734303db3cfc52311aab5f
[1b] https://gitorious.org/fetchmail/fetchmail/commit/b3e0cd2d558b5ccf06c816eed38c883d7462d3d4

Upstream advisory (not available yet):
[2] http://www.fetchmail.info/fetchmail-SA-2012-02.txt

CVE request:
[3] http://www.openwall.com/lists/oss-security/2012/08/13/9

References:
[4] https://bugs.gentoo.org/show_bug.cgi?id=431284

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

This issue affects the versions of the fetchmail package, as shipped with Fedora release of 16 and 17. Please schedule an update.

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

Created fetchmail tracking bugs for this issue

Affects: fedora-all [bug 847989]

Changed in gentoo:
importance: Unknown → Low
visibility: private → public
Changed in fetchmail (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
In , Radhermit-n (radhermit-n) wrote :

6.3.22 added to CVS.

Revision history for this message
In , Ackle (ackle) wrote :

(In reply to comment #1)
> 6.3.22 added to CVS.

Thanks, Tim. May we proceed with stabilization?

Revision history for this message
In , Radhermit-n (radhermit-n) wrote :

(In reply to comment #2)
> Thanks, Tim. May we proceed with stabilization?

Of course.

Revision history for this message
In , Underling (underling) wrote :

Thanks. Arches, please test and mark stable:
=net-mail/fetchmail-6.3.22
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Revision history for this message
In , Jeroen Roovers (jer-gentoo) wrote :

Stable for HPPA.

Revision history for this message
In , Porphyr (porphyr) wrote :

x86: compile,test, run, repoman OK

Revision history for this message
In , J-ago (j-ago) wrote :

amd64 stable

Revision history for this message
In , Phajdan-jr (phajdan-jr) wrote :

x86 stable

Revision history for this message
In , Maekke-gentoo (maekke-gentoo) wrote :

arm stable

Revision history for this message
In , Raúl Porcel (armin76) wrote :

alpha/ia64/s390/sh/sparc stable

Revision history for this message
In , Xarthisius (xarthisius) wrote :

ppc64 stable

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

fetchmail-6.3.22-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Stefan (stefan-redhat-bugs) wrote :

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Revision history for this message
In , Ranger-z (ranger-z) wrote :

ppc done

Revision history for this message
In , Ackle (ackle) wrote :

Thanks, everyone.

GLSA vote: no.

Revision history for this message
Lawrence Troup (lawrencetroup) wrote :

Is there a plan to release the fix for this issue to Precise? After a recent LTS upgrade, we are hitting this issue on our servers, where we allow users to have personal fetchmail configuration - so any user without the workaround in place (i.e. adding 'auth password') can cause fetchmail to crash.

Revision history for this message
In , Underling (underling) wrote :

GLSA Vote: no. Closing noglsa.

Changed in gentoo:
status: Unknown → Fix Released
Changed in fetchmail (Fedora):
importance: Unknown → Low
status: Unknown → Confirmed
Revision history for this message
Bryce Harrington (bryce) wrote :

Trusty is shopping 6.3.26, so this affects only precise (which hit EOL in April).

Changed in fetchmail (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Low
Changed in fetchmail (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in fetchmail (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.