Bug 22890

Summary: fetchmail-SA-2010-01: Heap overrun in verbose SSL cert info display
Product: Sisyphus Reporter: Dmitry V. Levin <ldv>
Component: fetchmailAssignee: Alexey Gladkov <legion>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: minor    
Priority: P3 CC: azol, legion, mike
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt

Description Dmitry V. Levin 2010-02-04 13:25:20 MSK 
In verbose mode, fetchmail prints X.509 certificate subject and issuer
information to the user, and counts and allocates a malloc() buffer for
that purpose.

If the material to be displayed contains characters with high bit set
and the platform treats the "char" type as signed, this can cause a heap
buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.

This might be exploitable to inject code if
- fetchmail is run in verbose mode
AND
- the host running fetchmail considers char unsigned
AND
- the server uses malicious certificates with non-printing characters
  that have the high bit set
AND
- these certificates manage to inject shell-code that consists purely of
  printable characters.

It is believed to be difficult to achieve all this.
Comment 1 Afanasov Dmitry 2010-03-30 13:35:41 MSD 
fixed in fetchmail 6.3.14 (http://fetchmail.berlios.de/security.html)