SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Raymond, Eric S.
Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1005273
SecurityTracker URL:  http://securitytracker.com/id/1005273
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Sep 29 2002
Original Entry Date:  Sep 24 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0 and prior versions
Description:   A buffer overflow vulnerability was reported in fetchmail. A remote user may be able to cause arbitrary code to be executed when fetchmail is operating in multi-drop mode.

It is reported that there are several buffer overflow conditions that can be triggered when fetchmail is running in multi-drop mode.

In several places, the readheaders() parsing function reportedly copies user-supplied email addresses to fixed size buffers without checking the size of the email address.

A broken boundary check is reported in the getmxrecord() function. A remote user that can send a specially crafted DNS packet to the target server can exploit this flaw to cause fetchmail to crash.

A bug is also reported in the parse_received() function affecting the parsing of user-supplied "Received:" headers. Portions of the "Received:" header line are copied without validating the size of the copied portion. A remote user can send mail with a specially crafted "Received:" header line to cause fetchmail to overflow the heap with arbitrary code. This bug allows a remote user to execute arbitrary code on the system.

The vendor credits Stefan Esser (e-matters) for reporting these flaws. The e-matters security advisory is available at:

http://security.e-matters.de/advisories/032002.html

Impact:   A remote user may be able to execute arbitrary code on the system with the privileges of the fetchmail daemon. In some configurations, this may be root privileges.
Solution:   The vendor has released a fixed version (6.1.0), available at:

http://www.tuxedo.org/~esr/fetchmail/
http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz
http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0-1.i386.rpm
http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0-1.src.rpm

Vendor URL:  www.tuxedo.org/~esr/fetchmail/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Re: Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
Red Hat has issued a fix.
(Sun Issues Fix for Sun Linux) Re: Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
Sun has issued a fix for Sun Linux 5.0.
(Conectiva Issues Fix) Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
Conectiva has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] (no subject)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

is there any more information on this "potential" remote vulnerability?

fetchmail-6.1.0 (Sun Sep 22 18:31:23 EDT 2002), 21999 lines:

* Updated French translation.
* Stefan Esser's fix for potential remote vulnerability in multidrop mode.
This is an important security fix!

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj2PTckTHG11dGV4QGh1c2htYWlsLmNvbQAKCRBLR9YdGwjQEGCjAJ9j
dQWGysbUyLbds8ov0c7trraFswCfSoAdWbhdWhiLD+QJTYnJBRZpz3Q=
=LBY3
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC