Gentoo Logo

fetchmail: Password exposure in fetchmailconf

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200511-06 / fetchmail
Release Date November 06, 2005
Latest Revision November 06, 2005: 01
Impact normal
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
net-mail/fetchmail < 6.2.5.2-r1 >= 6.2.5.2-r1 All supported architectures

Related bugreports: #110366

Synopsis

fetchmailconf fails to properly handle file permissions, temporarily exposing sensitive information to other local users.

2.  Impact Information

Background

fetchmail is a utility that retrieves and forwards mail from remote systems using IMAP, POP, and other protocols. It ships with fetchmailconf, a graphical utility used to create configuration files.

Description

Thomas Wolff discovered that fetchmailconf opens the configuration file with default permissions, writes the configuration to it, and only then restricts read permissions to the owner.

Impact

A local attacker could exploit the race condition to retrieve sensitive information like IMAP/POP passwords.

3.  Resolution Information

Workaround

Run "umask 077" to temporarily strengthen default permissions, then run "fetchmailconf" from the same shell.

Resolution

All fetchmail users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2-r1"

4.  References



Print

Page updated November 06, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.