[VulnWatch] fetchmail security announcement 2005-02 (CVE-2005-3088)

Date: 10/27/05

  • Next message: iDEFENSE Labs: "[VulnWatch] iDefense Security Advisory 10.28.05: Multiple Vendor chmlib CHM File Handling Buffer Overflow Vulnerability"
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
    Date: Thu, 27 Oct 2005 10:57:55 +0200 (CEST)

    fetchmail-SA-2005-02: security announcement

    Topic: password exposure in fetchmailconf

    Author: Matthias Andree
    Version: 1.02
    Announced: 2005-10-21
    Type: insecure creation of file
    Impact: passwords are written to a world-readable file
    Danger: medium
    Credits: Thomas Wolff, Miloslav Trmac for pointing out
                    that fetchmailconf 1.43.1 was also flawed
    CVE Name: CVE-2005-3088
    URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt

    Affects: fetchmail version
                    fetchmail version 6.2.5
                    fetchmail version 6.2.0
                    fetchmailconf 1.43 (shipped with 6.2.0, 6.2.5 and
                    fetchmailconf 1.43.1 (shipped separately, now withdrawn)
                    (other versions have not been checked but are presumed affected)

    Not affected: fetchmail 6.2.9-rc6
                    fetchmailconf 1.43.2 (use this for fetchmail-
                    fetchmailconf 1.49 (shipped with 6.2.9-rc6)
                    fetchmail 6.3.0 (not released yet)

    Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
                    2005-10-21 - released fetchmailconf-1.43.2
                    2005-10-21 - released fetchmail 6.2.9-rc6

    0. Release history

    2005-10-21 1.00 - initial version (shipped with -rc6)
    2005-10-21 1.01 - marked 1.43.1 vulnerable
                         - revised section 4
                         - added Credits
    2005-10-27 1.02 - reformatted section 0
                         - updated CVE Name to new naming scheme

    1. Background

    fetchmail is a software package to retrieve mail from remote POP2, POP3,
    IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
    message delivery agents.

    fetchmail ships with a graphical, Python/Tkinter based configuration
    utility named "fetchmailconf" to help the user create configuration (run
    control) files for fetchmail.

    2. Problem description and Impact

    The fetchmailconf program before and excluding version 1.49 opened the
    run control file, wrote the configuration to it, and only then changed
    the mode to 0600 (rw-------). Writing the file, which usually contains
    passwords, before making it unreadable to other users, can expose
    sensitive password information.

    3. Workaround

    Run "umask 077", then run "fetchmailconf" from the same shell. After
    fetchmailconf has finished, you can restore your old umask.

    4. Solution

    For users of fetchmail-
    Download fetchmailconf-1.43.2.gz from fetchmail's project site
    gunzip it, then replace your existing fetchmailconf with it.

    For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:
    update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.

    A. References

    fetchmail home page: <http://fetchmail.berlios.de/>

    B. Copyright, License and Warranty

    (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
    Some rights reserved.

    This work is licensed under the Creative Commons
    Attribution-NonCommercial-NoDerivs German License. To view a copy of
    this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
    or send a letter to Creative Commons; 559 Nathan Abbott Way;
    Stanford, California 94305; USA.

    Use the information herein at your own risk.

    END OF fetchmail-SA-2005-02.txt

  • Next message: iDEFENSE Labs: "[VulnWatch] iDefense Security Advisory 10.28.05: Multiple Vendor chmlib CHM File Handling Buffer Overflow Vulnerability"