Bug 1912

Summary: DoS issue with fetchmail
Product: Mageia Reporter: Stew Benedict <stewbintn>
Component: SecurityAssignee: Security team <security_officers>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, derekjenn, dmorganec, qa-bugs
Version: CauldronKeywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Whiteboard:
Source RPM: fetchmail-6.3.19-3.mga1.src.rpm CVE:
Status comment:

Description Stew Benedict 2011-06-24 13:56:42 CEST 
Description of problem:

fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.

Version-Release number of selected component (if applicable):

6.3.19-3mga1

How reproducible:

N/A

Also see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947

Text at the fetchmail sight references the git commit with the fix, although they recommend upgrading to 6.3.20. I'll defer from opinion on which path to take.

I am not finding a PoC to test the fix.

Possible Advisory text:

Certain versions of fetchmail do not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. Updated packages correct this issue.
This issue has been reserved the CVE identifier of CVE-2011-1947 at
http://cve.mitre.org.
Comment 1 Stew Benedict 2011-08-28 21:45:34 CEST 
no interest in this, closing

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 D Morgan 2011-08-28 23:41:04 CEST 
reopening

Status: RESOLVED => REOPENED
CC: (none) => dmorganec
Resolution: OLD => (none)

Comment 3 D Morgan 2011-08-28 23:58:19 CEST 
update pushed in update_testing
Comment 4 Manuel Hiebel 2011-08-29 00:08:12 CEST 
ok for qa-team ?
Remco Rijnders 2011-08-29 07:41:03 CEST

Assignee: bugsquad => qa-bugs

Comment 5 Dave Hodgins 2011-08-29 09:05:32 CEST 
I'd expect it to be available at
ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/1/i586/media/core/updates_testing
by now, but it isn't.  Can you check the submit?

CC: (none) => davidwhodgins

Comment 6 D Morgan 2011-08-29 10:50:13 CEST 
rejected by the BS. I will fix the package today.
Comment 7 Dave Hodgins 2011-08-31 09:22:29 CEST 
I can confirm that fetchmail works.  I don't like the user interface, of
fetchmailconf, but it seems to work, once you get used to pressing enter,
instead of clicking on a button for each entry.

After I got it working with an ssl encrypted pop3 account on yahoo.ca,
I added the user account settings the daemon with
cat /home/dave/.fetchmailrc >> /etc/fetchmailrc, then started the fetchmail
service.  It seems to work ok.

Is there a POC for the dos?  If not, I consider the i586 testing for the srpm
fetchmail-6.3.20-1.1.mga1.src.rpm
finished.
Comment 8 Derek Jennings 2011-08-31 11:32:40 CEST 
Verified operation of fetchmail-6.3.20-1.1.mga1.src.rpm on x86_64
Tested POP3 and IMAP accounts.

Advisory: A vulnerability has been found in fetchmail that could allow a remote server to cause a Denial of Service, CVE-2011-1947.
This updated package fixes the vulnerability

Keywords: (none) => validated_update
CC: (none) => derekjenn, qa-bugs
Assignee: qa-bugs => security

Comment 9 D Morgan 2011-08-31 13:09:29 CEST 
update pushed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED