fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Bug #1036509 reported by Karma Dorje on 2012-08-14
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Low
fetchmail (Fedora)
Confirmed
Low
fetchmail (Ubuntu)
Low
Unassigned

Bug Description

fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics: fetchmail denial of service in NTLM protocol phase

Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: crash while reading from bad memory location
Impact: fetchmail segfaults and aborts, stalling inbound mail
Danger: low
Acknowledgment: J. Porter Clark

CVE Name: CVE-2012-3482
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/

Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected: - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in: 2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

CVE References

In , J-ago (j-ago) wrote :

From oss-security:

etchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode

Topics: fetchmail denial of service in NTLM protocol phase

Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: crash while reading from bad memory location
Impact: fetchmail segfaults and aborts, stalling inbound mail
Danger: low
Acknowledgment: J. Porter Clark

CVE Name: (TBD)
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/

Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
                  when compiled with NTLM support enabled

Not affected: - fetchmail releases compiled with NTLM support disabled
                - fetchmail releases 6.3.22 and newer

Corrected in: 2012-08-13 Git, among others, see commit
                3fbc7cd331602c76f882d1b507cd05c1d824ba8b

                2012-08-xx fetchmail 6.3.22 release tarball

A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash.

Upstream patches:
[1] http://gitorious.org/fetchmail/fetchmail/commit/3fbc7cd331602c76f882d1b507cd05c1d824ba8b
[1a] https://gitorious.org/fetchmail/fetchmail/commit/c189f6a54f36f5b6f7734303db3cfc52311aab5f
[1b] https://gitorious.org/fetchmail/fetchmail/commit/b3e0cd2d558b5ccf06c816eed38c883d7462d3d4

Upstream advisory (not available yet):
[2] http://www.fetchmail.info/fetchmail-SA-2012-02.txt

CVE request:
[3] http://www.openwall.com/lists/oss-security/2012/08/13/9

References:
[4] https://bugs.gentoo.org/show_bug.cgi?id=431284

This issue affects the versions of the fetchmail package, as shipped with Fedora release of 16 and 17. Please schedule an update.

Created fetchmail tracking bugs for this issue

Affects: fedora-all [bug 847989]

Changed in gentoo:
importance: Unknown → Low
visibility: private → public
Changed in fetchmail (Ubuntu):
importance: Undecided → Low
status: New → Triaged

6.3.22 added to CVS.

In , Ackle (ackle) wrote :

(In reply to comment #1)
> 6.3.22 added to CVS.

Thanks, Tim. May we proceed with stabilization?

(In reply to comment #2)
> Thanks, Tim. May we proceed with stabilization?

Of course.

Thanks. Arches, please test and mark stable:
=net-mail/fetchmail-6.3.22
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Stable for HPPA.

x86: compile,test, run, repoman OK

In , J-ago (j-ago) wrote :

amd64 stable

x86 stable

arm stable

alpha/ia64/s390/sh/sparc stable

ppc64 stable

fetchmail-6.3.22-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

ppc done

Thanks, everyone.

GLSA vote: no.

Lawrence Troup (lawrencetroup) wrote :

Is there a plan to release the fix for this issue to Precise? After a recent LTS upgrade, we are hitting this issue on our servers, where we allow users to have personal fetchmail configuration - so any user without the workaround in place (i.e. adding 'auth password') can cause fetchmail to crash.

GLSA Vote: no. Closing noglsa.

Changed in gentoo:
status: Unknown → Fix Released
Changed in fetchmail (Fedora):
importance: Unknown → Low
status: Unknown → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.