1912 – DoS issue with fetchmail

Bug 1912 - DoS issue with fetchmail

Summary: DoS issue with fetchmail

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Security team
QA Contact:

URL:	http://www.fetchmail.info/fetchmail-S...
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2011-06-24 13:56 CEST by Stew Benedict
Modified:	2011-08-31 13:09 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	fetchmail-6.3.19-3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stew Benedict 2011-06-24 13:56:42 CEST

Description of problem:

fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.

Version-Release number of selected component (if applicable):

6.3.19-3mga1

How reproducible:

N/A

Also see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947

Text at the fetchmail sight references the git commit with the fix, although they recommend upgrading to 6.3.20. I'll defer from opinion on which path to take.

I am not finding a PoC to test the fix.

Possible Advisory text:

Certain versions of fetchmail do not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. Updated packages correct this issue.
This issue has been reserved the CVE identifier of CVE-2011-1947 at
http://cve.mitre.org.

Comment 1 Stew Benedict 2011-08-28 21:45:34 CEST

no interest in this, closing

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 D Morgan 2011-08-28 23:41:04 CEST

reopening

Status: RESOLVED => REOPENED
CC: (none) => dmorganec
Resolution: OLD => (none)

Comment 3 D Morgan 2011-08-28 23:58:19 CEST

update pushed in update_testing

Comment 4 Manuel Hiebel 2011-08-29 00:08:12 CEST

ok for qa-team ?

Remco Rijnders 2011-08-29 07:41:03 CEST

Assignee: bugsquad => qa-bugs

Comment 5 Dave Hodgins 2011-08-29 09:05:32 CEST

I'd expect it to be available at
ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/1/i586/media/core/updates_testing
by now, but it isn't.  Can you check the submit?

CC: (none) => davidwhodgins

Comment 6 D Morgan 2011-08-29 10:50:13 CEST

rejected by the BS. I will fix the package today.

Comment 7 Dave Hodgins 2011-08-31 09:22:29 CEST

I can confirm that fetchmail works.  I don't like the user interface, of
fetchmailconf, but it seems to work, once you get used to pressing enter,
instead of clicking on a button for each entry.

After I got it working with an ssl encrypted pop3 account on yahoo.ca,
I added the user account settings the daemon with
cat /home/dave/.fetchmailrc >> /etc/fetchmailrc, then started the fetchmail
service.  It seems to work ok.

Is there a POC for the dos?  If not, I consider the i586 testing for the srpm
fetchmail-6.3.20-1.1.mga1.src.rpm
finished.

Comment 8 Derek Jennings 2011-08-31 11:32:40 CEST

Verified operation of fetchmail-6.3.20-1.1.mga1.src.rpm on x86_64
Tested POP3 and IMAP accounts.

Advisory: A vulnerability has been found in fetchmail that could allow a remote server to cause a Denial of Service, CVE-2011-1947.
This updated package fixes the vulnerability

Keywords: (none) => validated_update
CC: (none) => derekjenn, qa-bugs
Assignee: qa-bugs => security

Comment 9 D Morgan 2011-08-31 13:09:29 CEST

update pushed.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.