fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

From oss-security:

etchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics: fetchmail denial of service in NTLM protocol phase

Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: crash while reading from bad memory location
Impact: fetchmail segfaults and aborts, stalling inbound mail
Danger: low
Acknowledgment: J. Porter Clark

CVE Name: (TBD)
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/

Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected: - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in: 2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash.

Upstream patches:
[1] http://gitorious.org/fetchmail/fetchmail/commit/3fbc7cd331602c76f882d1b507cd05c1d824ba8b
[1a] https://gitorious.org/fetchmail/fetchmail/commit/c189f6a54f36f5b6f7734303db3cfc52311aab5f
[1b] https://gitorious.org/fetchmail/fetchmail/commit/b3e0cd2d558b5ccf06c816eed38c883d7462d3d4

Upstream advisory (not available yet):
[2] http://www.fetchmail.info/fetchmail-SA-2012-02.txt

CVE request:
[3] http://www.openwall.com/lists/oss-security/2012/08/13/9

References:
[4] https://bugs.gentoo.org/show_bug.cgi?id=431284

This issue affects the versions of the fetchmail package, as shipped with Fedora release of 16 and 17. Please schedule an update.

Created fetchmail tracking bugs for this issue

Affects: fedora-all [bug 847989]

6.3.22 added to CVS.

(In reply to comment #1)
> 6.3.22 added to CVS.

Thanks, Tim. May we proceed with stabilization?

(In reply to comment #2)
> Thanks, Tim. May we proceed with stabilization?

Of course.

Thanks. Arches, please test and mark stable:
=net-mail/fetchmail-6.3.22
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Stable for HPPA.

x86: compile,test, run, repoman OK

amd64 stable

x86 stable

arm stable

alpha/ia64/s390/sh/sparc stable

ppc64 stable

fetchmail-6.3.22-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

ppc done

Thanks, everyone.

GLSA vote: no.

GLSA Vote: no. Closing noglsa.