(Sun Issues Fix for Sun Linux) Re: Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1005424 |
|
SecurityTracker URL: http://securitytracker.com/id/1005424
|
|
CVE Reference:
CAN-2002-1174, CAN-2002-1175
(Links to External Site)
|
Date: Oct 16 2002
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A buffer overflow vulnerability was reported in fetchmail. A remote user may be able to cause arbitrary code to be executed when fetchmail is operating in multi-drop mode.
It is reported that there are several buffer overflow conditions that can be triggered when fetchmail is running in multi-drop mode.
In several places, the readheaders() parsing function reportedly copies user-supplied email addresses to fixed size buffers without checking the size of the email address.
A broken boundary check is reported in the getmxrecord() function. A remote user that can send a specially crafted DNS packet to the target server can exploit this flaw to cause fetchmail to crash.
A bug is also reported in the parse_received() function affecting the parsing of user-supplied "Received:" headers. Portions of the "Received:" header line are copied without validating the size of the copied portion. A remote user can send mail with a specially crafted "Received:" header line to cause fetchmail to overflow the heap with arbitrary code. This bug allows a remote user to execute arbitrary code on the system.
The vendor credits Stefan Esser (e-matters) for reporting these flaws. The e-matters security advisory is available at:
http://security.e-matters.de/advisories/032002.html
|
Impact:
A remote user may be able to execute arbitrary code on the system with the privileges of the fetchmail daemon. In some configurations, this may be root privileges.
|
Solution:
Sun has issued a fix for Sun Linux 5.0:
fetchmail-5.9.0-11.i386.rpm or later
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47784 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Sun)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 16 Oct 2002 09:50:27 -0400
Subject: Sun Alert 47784 (ftchmail); Sun Linux, Sun Cobalt RaQs and Qubes
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47784
Sun issued an Alert Notification (47784) warning of a flaw in fetchmail, affecting Sun
Linux and Sun Cobalt systems. A remote user may be able to execute arbitrary commands
with the privileges of the user running the "fetchmail" program.
This issue is described in the following CVE entries:
* CAN-2002-1174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1174
* CAN-2002-1175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1175
The following releases are affected:
Sun Linux 5.0
* fetchmail-5.9.0-1.i386.rpm
Qube 2
* fetchmail-4.7.4-1.mips.rpm
Qube 3
* fetchmail-5.5.0-1C1.i386.rpm
Sun has issued a fix for Sun Linux 5.0:
* fetchmail-5.9.0-11.i386.rpm or later
A Fix Sun Cobalt Server Appliances (Qube 3, and Qube 2) is not yet available. Sun has
provided the following workaround:
"As a possible workaround, for Sun Cobalt Server Appliances (Qube 3, and Qube 2) disable
remote mail acquisition through the Cobalt GUI (go to the "Email Services" tab under
"Remote Retrieval" and uncheck the "Enable Remote Retrieval" check box). As a result,
remote mail retrieval will not function until re-enabled."
* Sun Alert ID: 47784
* Synopsis: Sun Linux/Sun Cobalt Security Vulnerability in "fetchmail"
* Category: Security
* Product: Sun Linux, Sun Cobalt RaQs and Qubes
* BugIDs:
* Avoidance: Patch, Workaround
* State: Committed
* Date Released: 15-Oct-2002
* Date Closed:
* Date Modified:
|
|
