Ubuntu
fetchmail package

Merge lp:~ari-tczew/ubuntu/hardy/fetchmail/fix-CVE-2008-2711 into lp:ubuntu/hardy-security/fetchmail

  1. Hardy (8.04)
  2. fix-CVE-2008-2711
  3. Merge into hardy-security
Proposed by Artur Rona
Status: Work in progress
Proposed branch: lp:~ari-tczew/ubuntu/hardy/fetchmail/fix-CVE-2008-2711
Merge into: lp:ubuntu/hardy-security/fetchmail
Diff against target: 91 lines (+71/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/07_fix_CVE-2008-2711_DoS.patch (+60/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~ari-tczew/ubuntu/hardy/fetchmail/fix-CVE-2008-2711
Reviewer Review Type Date Requested Status
Artur Rona Pending
Ubuntu branches Pending
Review via email: mp+22671@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Sebastien Bacher (seb128) wrote :

changing to "work in progress" so it stops being on the sponsoring list since the bug states that issue is not worth a security upload to hardy

Reply

Unmerged revisions

24. By Artur Rona

* SECURITY UPDATE: Corrects a denial of service attack that can crash
  fetchmail when running in -v -v mode via malformed mail messages
  with long headers (LP: #240549)
  - debian/patches/07_fix_CVE-2008-2711_DoS.patch: Taken from intrepid
  - CVE-2008-2711

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2009-08-11 12:03:52 +0000
3+++ debian/changelog 2010-04-01 23:32:23 +0000
4@@ -1,3 +1,13 @@
5+fetchmail (6.3.8-10ubuntu1.2) hardy-security; urgency=low
6+
7+ * SECURITY UPDATE: Corrects a denial of service attack that can crash
8+ fetchmail when running in -v -v mode via malformed mail messages
9+ with long headers (LP: #240549)
10+ - debian/patches/07_fix_CVE-2008-2711_DoS.patch: Taken from intrepid
11+ - CVE-2008-2711
12+
13+ -- Artur Rona <ari-tczew@tlen.pl> Fri, 02 Apr 2010 00:41:08 +0200
14+
15 fetchmail (6.3.8-10ubuntu1.1) hardy-security; urgency=low
16
17 * SECURITY UPDATE: SSL cert validation bypass via NULL bytes.
18
19=== added file 'debian/patches/07_fix_CVE-2008-2711_DoS.patch'
20--- debian/patches/07_fix_CVE-2008-2711_DoS.patch 1970-01-01 00:00:00 +0000
21+++ debian/patches/07_fix_CVE-2008-2711_DoS.patch 2010-04-01 23:32:23 +0000
22@@ -0,0 +1,60 @@
23+From: Michael Casadevall <sonicmctails@gmail.com>
24+Description: CVE-2008-2711 - fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.
25+Origin: http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt
26+Bug: https://launchpad.net/bugs/240549
27+Author: Matthias Andree
28+
29+Index: fetchmail-6.3.8/report.c
30+===================================================================
31+--- fetchmail-6.3.8.orig/report.c 2008-10-21 08:22:29.000000000 -0400
32++++ fetchmail-6.3.8/report.c 2008-10-21 08:24:50.000000000 -0400
33+@@ -238,11 +238,17 @@
34+ rep_ensuresize();
35+
36+ #if defined(VA_START)
37+- VA_START (args, message);
38+ for ( ; ; )
39+ {
40++ /*
41++ * args has to be initialized before every call of vsnprintf(),
42++ * because vsnprintf() invokes va_arg macro and thus args is
43++ * undefined after the call
44++ */
45++ VA_START (args, message);
46+ n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
47+ message, args);
48++ va_end (args);
49+
50+ if (n >= 0
51+ && (unsigned)n < partial_message_size - partial_message_size_used)
52+@@ -254,7 +260,6 @@
53+ partial_message_size += 2048;
54+ partial_message = REALLOC (partial_message, partial_message_size);
55+ }
56+- va_end (args);
57+ #else
58+ for ( ; ; )
59+ {
60+@@ -304,12 +309,13 @@
61+ rep_ensuresize();
62+
63+ #if defined(VA_START)
64+- VA_START (args, message);
65+ for ( ; ; )
66+ {
67++ VA_START (args, message);
68+ n = vsnprintf (partial_message + partial_message_size_used,
69+ partial_message_size - partial_message_size_used,
70+ message, args);
71++ va_end (args);
72+
73+ /* old glibc versions return -1 for truncation */
74+ if (n >= 0
75+@@ -322,7 +328,6 @@
76+ partial_message_size += 2048;
77+ partial_message = REALLOC (partial_message, partial_message_size);
78+ }
79+- va_end (args);
80+ #else
81+ for ( ; ; )
82+ {
83
84=== modified file 'debian/patches/series'
85--- debian/patches/series 2009-08-11 12:03:52 +0000
86+++ debian/patches/series 2010-04-01 23:32:23 +0000
87@@ -3,3 +3,4 @@
88 03_capa_probe.patch
89 04_fix_CVE-2007-4565_DoS.patch
90 06_cert_0_byte.patch
91+07_fix_CVE-2008-2711_DoS.patch

Subscribers

People subscribed via source and target branches

to all changes: