fetchmail-SA-2025-01: SMTP AUTH denial of service

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://www.fetchmail.info/fetchmail-SA-2025-01.txt reports:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

fetchmail-SA-2025-01: SMTP AUTH denial of service

Topics:         fetchmail SMTP client can crash when authenticating

Author:         Matthias Andree
Version:        1.0
Announced:      2025-10-03
Type:           failure to validate network input in certain configurations
Impact:         fetchmail tries to read from address 1 and can crash
Severity:       moderate

URL:            https://www.fetchmail.info/fetchmail-SA-2025-01.txt
Project URL:    https://www.fetchmail.info/
CVE Name:       pending, requested via MITRE as CNA-LR

Affects:        - fetchmail releases up to and including 6.5.5
                - fetchmail 7.0.0 pre-releases

Not affected:   - fetchmail 6.5 releases 6.5.6 and newer

Introduced in:  2002-03-09 fetchmail release 5.9.9 added SMTP AUTH

Corrected in:   2025-10-03 Git commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
                2025-10-03 fetchmail release 6.5.6


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail defaults to using the SMTP server on "localhost"
and to not attempting to authenticate, unless configured otherwise.

fetchmail also supports a "daemon" mode, where it runs over extended time
and periodically polls the upstream servers.  This can detach fetchmail
from the controlling terminal into the background, or - with a "nodetach" setting
- - keep attached to the controlling terminal, which also eases use by
service supervisors.


2. Problem description and Impact
=================================

fetchmail's SMTP client, when configured to authenticate [1], is susceptible
to a protocol violation where, when a trusted but malicious or malfunctioning
SMTP server responds to an authentication request with a "334" code but without a
following blank on the line, it will attempt to start reading from memory
address 0x1 to parse the server's SASL challenge. This address is constant and not
under the attacker's control. This event will usually cause a crash of fetchmail.
  If fetchmail in this situation was running in daemon mode, this mode is also
terminated by the crash.

[1] This requires the esmtpname and esmtppassword options to be configured in
the configuration file and the plugout and mda options to be inactive.

As a word of warning, this vulnerability has eluded several static code analyzers.


3. Solutions
============

General recommendation: if running fetchmail in the background or in daemon
mode, ensure that the daemon is supervised and crashes are reported so that
action can be taken about the malfunctioning SMTP server, or on fetchmail's end
to replace local delivery by different server or other means.


3a. Install fetchmail 6.5.6 or newer.

The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/> and
<https://gitlab.com/fetchmail/fetchmail/-/releases>

The Git-based source code repository is currently published via
https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_6x (primary)
https://sourceforge.net/p/fetchmail/git/ci/legacy_6x/tree/ (copy)


3b. Apply the smtp.c patch from the URL below and rebuild fetchmail:
<https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8>


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2025 by Matthias Andree, <matthias.andree () gmx de>.
Some rights reserved.

This file is licensed under CC BY-ND 4.0. To view a copy of this license,
visit <http://creativecommons.org/licenses/by-nd/4.0/>

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2025-01
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmjfuj8ACgkQ5BKxVu/z
hVoXfRAApBdTub7EDpczbGlHfuqM96xFFRXHahETtL3sPSTNf+EB5CpBH+t5wV2M
zeYcdbYLgf0X/nT8+ua2lyP8c5YW5OOntINa49HOwYhTnIf/Msju4NS9RExigOxM
xpUAFNO8Mci79q7NWxrNJkOZIy5OfM1cTxXfECbibWjg2MsbZj7BaJu3EdkEmpOp
bzKBbL87Fv3dfYYvrRgBeJo7jvl9PqqNgY+WtBSC4lkHKstA0QaEYvkZDzQW4pwC
ZUQASWpDHEQTU5VSaKNXEMy3g9nqmLtMBx66VH8Gzv/dh73x5rouiExKQIjKBMxD
LUkibZ2iQOQR2gETd/QwtY98W5KGCW5pjVdIV2SJsoPOte0OEaMI5aersREmI52O
R++3dmOeKbT/DW6SGCvY8xGKXqCfQfQy66XY3/ZXBpE7xJITGEzjiYqOv7Tt5L8E
3VKCRC/MVbkrPF8Hnh9It75OdxO6v1gG/GNBOStiHVU6cOhPQmwykhTug4UjfOzZ
0n6c5DNk7Lz3m1AjWHIGgO7v0rHWibH5rw3ksBQi0X3OSv4xqrSTHsQz0WV+l3KS
q98e0GtG5g/aKQL1EWp+/VNXjrhm3I+Wg+haR3zJ/PcTdxEfpaXW4RUTsK2MAxvm
1HPZuyhLFpgsptFGvPbJONUnah/OWttaPCfrM5neP9wZzPHLnjs=
=Su9H
-----END PGP SIGNATURE-----