22890 2010-02-04 13:25:20 +0300 fetchmail-SA-2010-01: Heap overrun in verbose SSL cert info display 2010-03-30 13:35:41 +0400 1 1 4 Development Sisyphus fetchmail unstable all Linux CLOSED FIXED http://www.fetchmail.info/fetchmail-SA-2010-01.txt security P3 minor --- 1 ldv legion antohami azol legion mike qa-sisyphus oldest_to_newest 106331 0 ldv 2010-02-04 13:25:20 +0300 In verbose mode, fetchmail prints X.509 certificate subject and issuer information to the user, and counts and allocates a malloc() buffer for that purpose. If the material to be displayed contains characters with high bit set and the platform treats the "char" type as signed, this can cause a heap buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex. This might be exploitable to inject code if - fetchmail is run in verbose mode AND - the host running fetchmail considers char unsigned AND - the server uses malicious certificates with non-printing characters that have the high bit set AND - these certificates manage to inject shell-code that consists purely of printable characters. It is believed to be difficult to achieve all this. 108266 1 ender 2010-03-30 13:35:41 +0400 fixed in fetchmail 6.3.14 (http://fetchmail.berlios.de/security.html)