what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 17, 2008
Authored by Petr Uzel, Petr Cerny, Gunter Nau | Site fetchmail.berlios.de

Fetchmail versions 6.3.9 and below suffer from a dereferencing garbage pointer vulnerability that can lead to a denial of service condition.

tags | advisory, denial of service
advisories | CVE-2008-2711
SHA-256 | c4f85bb709d0d49dbc6b20758674aeb3214e5365898284a1724815e3b7fcfc63


Change Mirror Download
fetchmail-SA-2008-01: Crash on large log messages in verbose mode

Topics: Crash in large log messages in verbose mode.

Author: Matthias Andree
Version: 1.0
Announced: 2008-06-17
Type: Dereferencing garbage pointer trigged by outside circumstances
Impact: denial of service possible
Danger: low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)

Credits: Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
CVE Name: CVE-2008-2711
URL: http://www.fetchmail.info/fetchmail-SA-2008-01.txt
Project URL: http://www.fetchmail.info/

Affects: fetchmail release < 6.3.9 exclusively

Not affected: fetchmail release 6.3.9 and newer
systems without varargs (stdargs.h) support.

Corrected: 2008-06-13 fetchmail SVN (rev 5193)

References: <https://bugzilla.novell.com/show_bug.cgi?id=354291>

0. Release history

2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN,
posted to oss-security)
2008-06-17 1.0 published on http://www.fetchmail.info/

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.

2. Problem description and Impact

Gunter Nau reported fetchmail crashing on some messages; further
debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
dug up that this happened when fetchmail was trying to print, in -v -v
verbose level, headers exceeding 2048 bytes. In this situation,
fetchmail would resize the buffer and fill in further parts of the
message, but forget to reinitialize its va_list typed source pointer,
thus reading data from a garbage address found on the stack at
addresses above the function arguments the caller passed in; usually
that would be the caller's stack frame.

It is unknown whether code can be injected remotely, but given that
the segmentation fault is caused by read accesses, the relevant data
is not under the remote attacker's control and no buffer overrun
situation is present that would allow altering program /flow/, it is
deemed rather unlikely that code can be injected.

Note that the required -vv configuration at hand is both non-default
and also not common in automated (cron job) setups, but usually used
in manual debugging, so not many systems would be affected by the
problem. Nonetheless, in vulnerable configurations, it is remotely
exploitable to effect a denial of service attack.

3. Solution

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
fetchmail 6.3.8, recompile and reinstall it.

b. Install fetchmail 6.3.9 or newer after it will have become available.
The fetchmail source code is always available from

4. Workaround

Run fetchmail at low verbosity, avoid using two or three -v arguments;
internal messages are short and do not contain external message
sources so they do not cause buffer resizing. It is recommended to
replace the vulnerable code by a fixed version (see previous
section 3. Solution) as soon as reasonably possible.

A. Copyright, License and Warranty

(C) Copyright 2008 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

Use the information herein at your own risk.

B. Patch to remedy the problem

diff --git a/report.c b/report.c
index 31d4e48..2a731ac 100644
--- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)

#if defined(VA_START)
- VA_START (args, message);
for ( ; ; )
+ /*
+ * args has to be initialized before every call of vsnprintf(),
+ * because vsnprintf() invokes va_arg macro and thus args is
+ * undefined after the call.
+ */
+ VA_START(args, message);
n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used,
message, args);
+ va_end (args);

if (n >= 0
&& (unsigned)n < partial_message_size - partial_message_size_used)
@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
partial_message_size += 2048;
partial_message = REALLOC (partial_message, partial_message_size);
- va_end (args);
for ( ; ; )

END OF fetchmail-SA-2008-01.txt
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By