SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Sun
(Sun Issues Fix for Sun Linux) Re: Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1005424
SecurityTracker URL:  http://securitytracker.com/id/1005424
CVE Reference:   CVE-2002-1174, CVE-2002-1175   (Links to External Site)
Date:  Oct 16 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in fetchmail. A remote user may be able to cause arbitrary code to be executed when fetchmail is operating in multi-drop mode.

It is reported that there are several buffer overflow conditions that can be triggered when fetchmail is running in multi-drop mode.

In several places, the readheaders() parsing function reportedly copies user-supplied email addresses to fixed size buffers without checking the size of the email address.

A broken boundary check is reported in the getmxrecord() function. A remote user that can send a specially crafted DNS packet to the target server can exploit this flaw to cause fetchmail to crash.

A bug is also reported in the parse_received() function affecting the parsing of user-supplied "Received:" headers. Portions of the "Received:" header line are copied without validating the size of the copied portion. A remote user can send mail with a specially crafted "Received:" header line to cause fetchmail to overflow the heap with arbitrary code. This bug allows a remote user to execute arbitrary code on the system.

The vendor credits Stefan Esser (e-matters) for reporting these flaws. The e-matters security advisory is available at:

http://security.e-matters.de/advisories/032002.html

Impact:   A remote user may be able to execute arbitrary code on the system with the privileges of the fetchmail daemon. In some configurations, this may be root privileges.
Solution:   Sun has issued a fix for Sun Linux 5.0:

fetchmail-5.9.0-11.i386.rpm or later

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47784 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Sun)
Underlying OS Comments:  5.0

Message History:   This archive entry is a follow-up to the message listed below.
Sep 24 2002 Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code



 Source Message Contents

Subject:  Sun Alert 47784 (ftchmail); Sun Linux, Sun Cobalt RaQs and Qubes


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47784

Sun issued an Alert Notification (47784) warning of a flaw in fetchmail, affecting Sun
Linux and Sun Cobalt systems.  A remote user may be able to execute arbitrary commands
with the privileges of the user running the "fetchmail" program. 

This issue is described in the following CVE entries:

    * CAN-2002-1174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1174
    * CAN-2002-1175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1175

The following releases are affected:

Sun Linux 5.0

    * fetchmail-5.9.0-1.i386.rpm

Qube 2

    * fetchmail-4.7.4-1.mips.rpm

Qube 3

    * fetchmail-5.5.0-1C1.i386.rpm

Sun has issued a fix for Sun Linux 5.0:

    * fetchmail-5.9.0-11.i386.rpm or later

A Fix Sun Cobalt Server Appliances (Qube 3, and Qube 2) is not yet available.  Sun has
provided the following workaround:

"As a possible workaround, for Sun Cobalt Server Appliances (Qube 3, and Qube 2) disable
remote mail acquisition through the Cobalt GUI (go to the "Email Services" tab under
"Remote Retrieval" and uncheck the "Enable Remote Retrieval" check box). As a result,
remote mail retrieval will not function until re-enabled."



    * Sun Alert ID: 47784
    * Synopsis: Sun Linux/Sun Cobalt Security Vulnerability in "fetchmail"
    * Category: Security
    * Product: Sun Linux, Sun Cobalt RaQs and Qubes
    * BugIDs:
    * Avoidance: Patch, Workaround
    * State: Committed
    * Date Released: 15-Oct-2002
    * Date Closed:
    * Date Modified:



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC