Bug 22890 - fetchmail-SA-2010-01: Heap overrun in verbose SSL cert info display
Summary: fetchmail-SA-2010-01: Heap overrun in verbose SSL cert info display
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: fetchmail (show other bugs)
Version: unstable
Hardware: all Linux
: P3 minor
Assignee: Alexey Gladkov
QA Contact: qa-sisyphus
URL: http://www.fetchmail.info/fetchmail-S...
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-02-04 13:25 MSK by Dmitry V. Levin
Modified: 2010-03-30 13:35 MSD (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry V. Levin 2010-02-04 13:25:20 MSK 
In verbose mode, fetchmail prints X.509 certificate subject and issuer
information to the user, and counts and allocates a malloc() buffer for
that purpose.

If the material to be displayed contains characters with high bit set
and the platform treats the "char" type as signed, this can cause a heap
buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.

This might be exploitable to inject code if
- fetchmail is run in verbose mode
AND
- the host running fetchmail considers char unsigned
AND
- the server uses malicious certificates with non-printing characters
  that have the high bit set
AND
- these certificates manage to inject shell-code that consists purely of
  printable characters.

It is believed to be difficult to achieve all this.
Comment 1 Afanasov Dmitry 2010-03-30 13:35:41 MSD 
fixed in fetchmail 6.3.14 (http://fetchmail.berlios.de/security.html)