Debian: fetchmail buffer overflow

    Date24 Dec 2002
    CategoryDebian
    2799
    Posted ByLinuxSecurity Advisories
    There is a buffer overflow in fetchmail, an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder.
    
    --------------------------------------------------------------------------
    Debian Security Advisory DSA 216-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    December 24th, 2002                      http://www.debian.org/security/faq
    --------------------------------------------------------------------------
    
    Package        : fetchmail
    Vulnerability  : buffer overflow
    Problem-Type   : remote
    Debian-specific: no
    CVE Id         : CAN-2002-1365 (confirmed)
    
    Stefan Esser of e-matters discovered a buffer overflow in fetchmail,
    an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder.  When
    fetchmail retrieves a mail all headers that contain addresses are
    searched for local addresses.  If a hostname is missing, fetchmail
    appends it but doesn't reserve enough space for it.  This heap
    overflow can be used by remote attackers to crash it or to execute
    arbitrary code with the privileges of the user running fetchmail.
    
    For the current stable distribution (woody) this problem has been
    fixed in version 5.9.11-6.2 of fetchmail and fetchmail-ssl.
    
    For the old stable distribution (potato) this problem has been fixed
    in version 5.3.3-4.3.
    
    For the current unstable distribution (sid) this problem has been
    fixed in version 6.2.0-1 of fetchmail and fetchmail-ssl.
    
    We recommend that you upgrade your fetchmail packages.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 2.2 alias potato
    ---------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.dsc
          Size/MD5 checksum:      566 a1903624c0ec3bd32511423932643072
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.diff.gz
          Size/MD5 checksum:    27949 ba53d0ca7f33019f8aa377359adf1212
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz
          Size/MD5 checksum:   755731 d2cffc4594ec2d36db6681b800f25e2a
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.3_all.deb
          Size/MD5 checksum:    63344 eeb78fb002b7cec35d21f782123638c5
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_alpha.deb
          Size/MD5 checksum:   371692 f59ce881bc67072165a43c935d1c555b
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_arm.deb
          Size/MD5 checksum:   349562 7f3512eed908f266268a5c92be1d2fd8
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_i386.deb
          Size/MD5 checksum:   342328 51380d2821f2837a7aaf3f14850fce83
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_m68k.deb
          Size/MD5 checksum:   336626 0fc917ae77fae36202be9db505de495e
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_powerpc.deb
          Size/MD5 checksum:   350320 e3d5dbe15acefa05a6c7cbfdada1bf2a
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_sparc.deb
          Size/MD5 checksum:   328084 1f5bc0689d1c1c86f81d022a53e9cff9
    
    
    Debian GNU/Linux 3.0 alias woody
    --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.dsc
          Size/MD5 checksum:      712 7dd3621fe339460971cc328484b0e279
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.diff.gz
          Size/MD5 checksum:   300336 7503a6bbf5020b118c0061586e16822a
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
          Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd
    
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.dsc
          Size/MD5 checksum:      707 69a8e2fa290af062b9740943d26df507
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.diff.gz
          Size/MD5 checksum:   296112 e4ecdeddc8bffa9a54f386ab449485fe
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz
          Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.2_all.deb
          Size/MD5 checksum:   165338 fd022003903f569d077e36faf5ad2a21
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.2_all.deb
          Size/MD5 checksum:    92680 259860a2bcf5ec0376e899a4bac606c5
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_alpha.deb
          Size/MD5 checksum:   307102 5fd453636e5bd8613abc7aa237585fe7
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_alpha.deb
          Size/MD5 checksum:   309976 952fa90b23a9cfc6924eae2f1408c54c
    
      ARM architecture:
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_arm.deb
          Size/MD5 checksum:   290732 9bdae78eabf81f3abd9f06ff809b4515
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_arm.deb
          Size/MD5 checksum:   296660 cb0b113ef7df375b3ffd310a1012f3ce
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_i386.deb
          Size/MD5 checksum:   286470 f18703ec4f6a78310321055fcf83c4c8
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_i386.deb
          Size/MD5 checksum:   291960 2649fd5b6238851a29e8a787f462ee7e
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_ia64.deb
          Size/MD5 checksum:   329940 a504adb23f4b454ef367209e1040abcb
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_ia64.deb
          Size/MD5 checksum:   333976 144c1df5d7c723c7d6bd5e43f592b48b
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_hppa.deb
          Size/MD5 checksum:   299074 166df103ddb481f7765fdf748afd94a7
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_hppa.deb
          Size/MD5 checksum:   301932 bebfca5047e0cbc6b29153643badc969
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_m68k.deb
          Size/MD5 checksum:   281204 f04e277cf71fc0cddd091fc605ef4036
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_m68k.deb
          Size/MD5 checksum:   286402 6ce360b059551b495414e1beb02b67a3
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mips.deb
          Size/MD5 checksum:   296502 d4dce762db683352d353e47abe050e13
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mips.deb
          Size/MD5 checksum:   301044 2c684dbc2dba6f5cc8c1de6e6f705ff8
    
      Little endian MIPS architecture:
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mipsel.deb
          Size/MD5 checksum:   295990 0d05ae19ca00996e83eaff5ace4bceb5
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mipsel.deb
          Size/MD5 checksum:   300566 64af54cf6b0e3f531d0219a22eb1dd8a
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_powerpc.deb
          Size/MD5 checksum:   291608 68ff481887635a4ce1243d1900c02998
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_powerpc.deb
          Size/MD5 checksum:   297644 70ff4071e9680a10121819046d856e55
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_s390.deb
          Size/MD5 checksum:   288886 7b3fdb495abd4687d2e6829e7ffe0d9d
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_s390.deb
          Size/MD5 checksum:   294558 0699d986ee8f14d1c6ae3cfd1395206d
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_sparc.deb
          Size/MD5 checksum:   293406 f63f33a3530f7ba8506c35c3aa9c5e4b
         http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_sparc.deb
          Size/MD5 checksum:   298076 56d727fcf9a8cd3403454bb60bdd3b4d
    
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"4","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":14.29,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.