Gentoo Archives: gentoo-announce

From: Stefan Behte <craig@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-12 ] Fetchmail: Multiple vulnerabilities
Date: Wed, 02 Jun 2010 18:46:37
Message-Id: 4C068B68.5060302@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-12
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Fetchmail: Multiple vulnerabilities
9 Date: June 01, 2010
10 Bugs: #280537, #307761
11 ID: 201006-12
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been reported in Fetchmail, allowing
19 remote attackers to execute arbitrary code or to conduct
20 Man-in-the-Middle attacks.
21
22 Background
23 ==========
24
25 Fetchmail is a remote mail retrieval and forwarding utility.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-mail/fetchmail < 6.3.14 >= 6.3.14
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been reported in Fetchmail:
39
40 * The sdump() function might trigger a heap-based buffer overflow
41 during the escaping of non-printable characters with the high bit set
42 from an X.509 certificate (CVE-2010-0562).
43
44 * The vendor reported that Fetchmail does not properly handle Common
45 Name (CN) fields in X.509 certificates that contain an ASCII NUL
46 character. Specifically, the processing of such fields is stopped at
47 the first occurrence of a NUL character. This type of vulnerability
48 was recently discovered by Dan Kaminsky and Moxie Marlinspike
49 (CVE-2009-2666).
50
51 Impact
52 ======
53
54 A remote attacker could entice a user to connect with Fetchmail to a
55 specially crafted SSL-enabled server in verbose mode, possibly
56 resulting in the execution of arbitrary code with the privileges of the
57 user running the application. NOTE: The issue is only existent on
58 platforms on which char is signed.
59
60 Furthermore, a remote attacker might employ a specially crafted X.509
61 certificate, containing a NUL character in the Common Name field to
62 conduct man-in-the-middle attacks on SSL connections made using
63 Fetchmail.
64
65 Workaround
66 ==========
67
68 There is no known workaround at this time.
69
70 Resolution
71 ==========
72
73 All Fetchmail users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.14"
77
78 References
79 ==========
80
81 [ 1 ] CVE-2010-0562
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0562
83 [ 2 ] CVE-2009-2666
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
85
86 Availability
87 ============
88
89 This GLSA and any updates to it are available for viewing at
90 the Gentoo Security Website:
91
92 http://security.gentoo.org/glsa/glsa-201006-12.xml
93
94 Concerns?
95 =========
96
97 Security is a primary focus of Gentoo Linux and ensuring the
98 confidentiality and security of our users machines is of utmost
99 importance to us. Any security concerns should be addressed to
100 security@g.o or alternatively, you may file a bug at
101 https://bugs.gentoo.org.
102
103 License
104 =======
105
106 Copyright 2010 Gentoo Foundation, Inc; referenced text
107 belongs to its owner(s).
108
109 The contents of this document are licensed under the
110 Creative Commons - Attribution / Share Alike license.
111
112 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature