[Bug 354291] New: fetchmail Segmentation fault
https://bugzilla.novell.com/show_bug.cgi?id=354291 Summary: fetchmail Segmentation fault Product: openSUSE 10.3 Version: Final Platform: x86-64 OS/Version: openSUSE 10.3 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: motionseverywhere@gmx.net QAContact: qa@suse.de Found By: --- fetchmail 6.3.8-57.2 x86_64 happened twice during the last 14 days: fetchmail is used to retrieve emails from our ISP mail server. a mail somehow mis-formed (a spam mail on the 1st occurance, a wanted newletter mail on the 2nd occurance) is segment faulting and terminating fetchmail. Therefore the defect mail is stuck on top of the waiting mail stack. The cron job with fetchmail fails on ALL following tries until the defect mail is cleared manually. Possible denial-of-service. The 2nd mail file (newsletter) is saved and can be provided. As they contain confident mail and server data it is available only on request. And I just installed the latest fetchmail-6.3.8-86.x86_64.rpm 14-Jan-2008 16:25 from the opensuse 11.0alpha which still fails on the same mail. Here are the last lines of the log file until the fetchmail dies: fetchmail: 6.3.8 querying xxx.xxxx.info (protocol POP3) at Wed Jan 16 21:13:21 2008: poll started fetchmail: Trying to connect to 111.111.111.11/110...connected. fetchmail: POP3< +OK s141 Cyrus POP3 v2.2.12 server ready fetchmail: POP3> CAPA fetchmail: POP3< +OK List of capabilities follows fetchmail: POP3< STLS fetchmail: POP3< EXPIRE NEVER fetchmail: POP3< LOGIN-DELAY 0 fetchmail: POP3< TOP fetchmail: POP3< UIDL fetchmail: POP3< PIPELINING fetchmail: POP3< RESP-CODES fetchmail: POP3< AUTH-RESP-CODE fetchmail: POP3< USER fetchmail: POP3< IMPLEMENTATION Cyrus POP3 server v2.2.12 fetchmail: POP3< . fetchmail: 6.3.8 querying xxx.xxxx.info (protocol POP3) at Wed Jan 16 21:13:21 2008: poll started fetchmail: Trying to connect to 111.111.111.111/110...connected. fetchmail: POP3< +OK s141 Cyrus POP3 v2.2.12 server ready fetchmail: POP3> CAPA fetchmail: POP3< +OK List of capabilities follows fetchmail: POP3< STLS fetchmail: POP3< EXPIRE NEVER fetchmail: POP3< LOGIN-DELAY 0 fetchmail: POP3< TOP fetchmail: POP3< UIDL fetchmail: POP3< PIPELINING fetchmail: POP3< RESP-CODES fetchmail: POP3< AUTH-RESP-CODE fetchmail: POP3< USER fetchmail: POP3< IMPLEMENTATION Cyrus POP3 server v2.2.12 fetchmail: POP3< . fetchmail: 1 message for p6653p1 at xxx.xxxx.info (17194 octets). fetchmail: POP3> LIST 1 fetchmail: POP3< +OK 1 17194 fetchmail: POP3> TOP 1 99999999 fetchmail: POP3< +OK Message follows fetchmail: reading message mailbox@xxx.xxxx.info:1 of 1 (17194 octets) fetchmail: About to rewrite Return-Path: <PRESSxxxx@xxx.com> Rewritten version is Return-Path: <PRESSxxxx@xxx.com> fetchmail: About to rewrite From: PRESSxxxx@xxx.com Rewritten version is From: PRESSxxxx@xxx.com fetchmail configuration: set postmaster postmaster@yyyyy.com set no bouncemail set invisible set logfile /var/lib/fetchmail/fetchmailwilster.log server xxx.xxxx.info proto pop3 localdomains 'xxxx.biz' 'xxxx.com' 'xxxx.de' timeout 60 nodns envelope X-Envelope-To: user xxxxxxxxxxxxxxxxxxx pass yyyyyyyyyyyyyyyyyyy is * here flush smtphost localhost smtpaddress xxxxxxx.com limit 20000000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User mtgordon@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c1 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtgordon@novell.com Status|NEW |NEEDINFO Info Provider| |motionseverywhere@gmx.net --- Comment #1 from Mark Gordon <mtgordon@novell.com> 2008-01-16 15:21:17 MST --- Can you install fetchmail-debuginfo and run fetchmail through gdb to get a stack trace? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c2 Gunther Nau <motionseverywhere@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |motionseverywhere@gmx.net --- Comment #2 from Gunther Nau <motionseverywhere@gmx.net> 2008-01-17 06:03:17 MST --- Okay, back to fetchmail-6.3.8-57 with debug info and my first gdb run ever: (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x2ba39135c7b0 (LWP 4459)] 0x00002ba390631bd0 in strlen () from /lib64/libc.so.6 (gdb) backtrace #0 0x00002ba390631bd0 in strlen () from /lib64/libc.so.6 #1 0x00002ba39060184d in vfprintf () from /lib64/libc.so.6 #2 0x00002ba390692118 in __vsnprintf_chk () from /lib64/libc.so.6 #3 0x0000000000426413 in ?? () #4 0x0000003000000020 in ?? () #5 0x00007fff1c0483c0 in ?? () #6 0x00007fff1c0482f0 in ?? () #7 0x00002ba3905e7ace in ?? () from /lib64/libc.so.6 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) Is this sufficient? I'm not sure that the fetchmail debug info is really located and used by gdb. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User mtgordon@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c3 --- Comment #3 from Mark Gordon <mtgordon@novell.com> 2008-01-17 13:20:39 MST --- Are you sure you have the right packages installed? What does "rpm -qa | grep fetchmail" say? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c4 --- Comment #4 from Gunther Nau <motionseverywhere@gmx.net> 2008-01-17 14:14:21 MST --- lin:/ # rpm -qa | grep fetchmail fetchmail-debuginfo-6.3.8-57 fetchmail-6.3.8-57 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c5 --- Comment #5 from Gunther Nau <motionseverywhere@gmx.net> 2008-01-17 14:34:57 MST --- Okay, now I got it right with the symbol file and here is the backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x2b5b8e49c7b0 (LWP 13571)] 0x00002b5b8d771bd0 in strlen () from /lib64/libc.so.6 (gdb) bt #0 0x00002b5b8d771bd0 in strlen () from /lib64/libc.so.6 #1 0x00002b5b8d74184d in vfprintf () from /lib64/libc.so.6 #2 0x00002b5b8d7d2118 in __vsnprintf_chk () from /lib64/libc.so.6 #3 0x0000000000426413 in report_build (errfp=0x2b5b8da3b760, message=0x43bc98 "About to rewrite %s") at report.c:244 #4 0x0000000000425f3f in reply_hack ( buf=0x6705f0 "To: gemuese@juliwa.de, info-d@aco-funki.com, laacky@t-online.d e,\r\n\tKellinghusen@Kellinghusen-Fahrsport.de, office@windwaerts.de,\r\n\tinfo@ lemmer-fullwood.de, postoffice@mytoyotaservice.de,\r\n\tgerd.knuth@"..., host=0x653280 "p1111.xxxxxxxxxxx.xxxx", length=0x7fff1ef07c10) at rfc822.c:76 #5 0x0000000000411321 in readheaders (sock=6, fetchlen=6751735, reallen=<value optimized out>, ctl=0x657520, num=2, suppress_readbody=0x7fff1ef0a0f0 "") at transact.c:765 #6 0x000000000040ea0f in do_session (ctl=0x657520, proto=0x43aa20, maxfetch=0) at driver.c:623 #7 0x0000000000408248 in query_host (ctl=0x657520) at fetchmail.c:1471 #8 0x0000000000408d7a in main (argc=<value optimized out>, argv=0x7fff1ef0e388) at fetchmail.c:740 #9 0x00002b5b8d719b54 in __libc_start_main () from /lib64/libc.so.6 #10 0x0000000000404b79 in _start () (gdb) Hmm, there are some real emails and server names above. Maybe they can be wiped out after analysis to prevent any search bot to register them ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User mtgordon@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c6 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |pcerny@novell.com Status|NEEDINFO |NEW Info Provider|motionseverywhere@gmx.net | --- Comment #6 from Mark Gordon <mtgordon@novell.com> 2008-01-17 14:59:07 MST --- I've made the previous comment private. That should suffice. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c7 --- Comment #7 from Gunther Nau <motionseverywhere@gmx.net> 2008-01-22 05:53:37 MST --- just for your information: YOU rolled out a new version of fetchmail for CVE-2007-4565. I installed it and it still has the same segmentation fault on downloading my conserved "bad mail". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c8 --- Comment #8 from Gunther Nau <motionseverywhere@gmx.net> 2008-02-05 13:23:20 MST --- Anything new on this issue? I've a segmentation fault nearly once a week now. I've collected 4 different mails yet causing fetchmail to abort. Some of them are spams, others newsletters or even wanted mails (ham) from business partners. Shall I post this issue to a fetchmail mailing list,too? As I mentioned in #7 i updated to the new fetchmail YOU update service was offering. Is there a debug-info file available there in case someone needs a new gdb trace? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c9 Petr Cerny <pcerny@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #9 from Petr Cerny <pcerny@novell.com> 2008-02-08 05:35:09 MST --- Could you please attach some of the emails which trigger the crash? Or you can mail them to me directly... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c10 --- Comment #10 from Gunther Nau <motionseverywhere@gmx.net> 2008-02-11 08:21:25 MST --- Created an attachment (id=194193) --> (https://bugzilla.novell.com/attachment.cgi?id=194193) thunderbird imap msf mailfile with the fetchmail faulting headers -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c11 --- Comment #11 from Gunther Nau <motionseverywhere@gmx.net> 2008-02-11 08:22:09 MST --- I'm not sure how to safely get the mails from my ISP mailserver without downloading/deleting them and without getting them changed with new status information. I've just get the headers etc. via IMAP to Thunderbird 2. Attached is the msf file from thunderbird. If the segmentation fault is triggered by the list of receipients, it might be helpful. If the fault is triggered through the exact TCP/IP conversation between fetchmail and the ISP mail server, then this is not helping very much ... please mark the attachment private to prevent any mail adress harvester from access to it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c12 --- Comment #12 from Petr Cerny <pcerny@novell.com> 2008-02-12 02:11:02 MST --- access(In reply to comment #11 from Gunther Nau)
I'm not sure how to safely get the mails from my ISP mailserver without downloading/deleting them and without getting them changed with new status information.
Probably the best way would be forwarding them directly (as attachments - to pass through our spam filters) over IMAP. Or download them over POP3 - be sure to check the state of "do not delete downloaded messages", "leave messages on server" or similar settings in your mail client).
I've just get the headers etc. via IMAP to Thunderbird 2. Attached is the msf file from thunderbird.
I'll try to get the headers out of it or make a similar up (in case it is some buffer overflow). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c13 --- Comment #13 from Petr Cerny <pcerny@novell.com> 2008-04-24 10:24:12 MST --- The crash is triggered by long header lines when using "-vv" switch. As a temporary workaround I suggest you lower verbosity (which IMHO doesn't make much sense anyway in a cron job). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User motionseverywhere@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c14 --- Comment #14 from Gunther Nau <motionseverywhere@gmx.net> 2008-04-24 11:30:45 MST --- Confirmed! I called "fetchmail -v -v" and now changed it to "fetchmail -v" to reduce verbosity level. The error is gone. I was able to download all collected "bad" emails without the seg faults. That's a fine solution for me so I consider this problem solved. Thanks alot! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c15 Petr Cerny <pcerny@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |peterph@centrum.cz AssignedTo|pcerny@novell.com |nadvornik@novell.com Status|ASSIGNED |NEW --- Comment #15 from Petr Cerny <pcerny@novell.com> 2008-04-30 09:32:05 MST --- Leaving SUSE - reassigning to Vladimir. note: the segfault is triggered by long (>~ 2048 bytes) header lines which are rewritten and then displayed (if -vv or -vvv option is used) in report_build. Probably fetchmail incorrectly reads these long lines into its buffer, causing an overflow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User nadvornik@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c16 Vladimir Nadvornik <nadvornik@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|nadvornik@novell.com |puzel@novell.com --- Comment #16 from Vladimir Nadvornik <nadvornik@novell.com> 2008-05-15 03:25:06 MST --- new maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c17 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #17 from Petr Uzel <puzel@novell.com> 2008-05-23 06:16:06 MST --- Fixed in OpenSuse 11.0 The bug was caused by repeatedly calling vsnprintf() without reinitializing pointer to the varying arguments. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c18 --- Comment #18 from Petr Uzel <puzel@novell.com> 2008-05-23 06:45:29 MST --- Patch: --- report.c +++ report.c @@ -238,9 +238,13 @@ rep_ensuresize(); #if defined(VA_START) - VA_START (args, message); for ( ; ; ) { + /* + * args has to be initialized before every call of vsnprintf(), because + * vsnprintf() invokes va_arg macro and thus args is undefined after the call + */ + VA_START (args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c19 --- Comment #19 from Thomas Biege <thomas@novell.com> 2008-06-17 02:20:47 MDT --- ====================================================== Name: CVE-2008-2711 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711 Reference: MLIST:[oss-security] 20080613 CVE Id Request: fetchmail <= 6.3.8 DoS when logging long headers in -v -v mode Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/13/1 Reference: MISC:https://bugzilla.novell.com/show_bug.cgi?id=354291 fetchmail 6.3.8 and earlier, when running in -v -v mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which is not properly handled when using vsnprintf to format log messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c20 Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thomas@novell.com --- Comment #20 from Petr Uzel <puzel@novell.com> 2008-06-18 07:12:38 MDT --- Does this need to be fixed in older products too? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c21 --- Comment #21 from Thomas Biege <thomas@novell.com> 2008-06-18 07:15:29 MDT --- No, fixing it in STABLE/Factory is sufficient in this case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=354291 User puzel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=354291#c22 --- Comment #22 from Petr Uzel <puzel@novell.com> 2008-07-01 03:58:28 MDT --- Patch update: --- report.c +++ report.c @@ -238,11 +238,17 @@ rep_ensuresize(); #if defined(VA_START) - VA_START (args, message); for ( ; ; ) { + /* + * args has to be initialized before every call of vsnprintf(), + * because vsnprintf() invokes va_arg macro and thus args is + * undefined after the call + */ + VA_START (args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end (args); if (n >= 0 && (unsigned)n < partial_message_size - partial_message_size_used) @@ -254,7 +260,6 @@ partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - va_end (args); #else for ( ; ; ) { @@ -304,12 +309,13 @@ rep_ensuresize(); #if defined(VA_START) - VA_START (args, message); for ( ; ; ) { + VA_START (args, message); n = vsnprintf (partial_message + partial_message_size_used, partial_message_size - partial_message_size_used, message, args); + va_end (args); /* old glibc versions return -1 for truncation */ if (n >= 0 @@ -322,7 +328,6 @@ partial_message_size += 2048; partial_message = REALLOC (partial_message, partial_message_size); } - va_end (args); #else for ( ; ; ) { -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com