Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Raymond, Eric S.
(Conectiva Issues Fix) Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1005426
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 16 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0 and prior versions
Description:   A buffer overflow vulnerability was reported in fetchmail. A remote user may be able to cause arbitrary code to be executed when fetchmail is operating in multi-drop mode.

It is reported that there are several buffer overflow conditions that can be triggered when fetchmail is running in multi-drop mode.

In several places, the readheaders() parsing function reportedly copies user-supplied email addresses to fixed size buffers without checking the size of the email address.

A broken boundary check is reported in the getmxrecord() function. A remote user that can send a specially crafted DNS packet to the target server can exploit this flaw to cause fetchmail to crash.

A bug is also reported in the parse_received() function affecting the parsing of user-supplied "Received:" headers. Portions of the "Received:" header line are copied without validating the size of the copied portion. A remote user can send mail with a specially crafted "Received:" header line to cause fetchmail to overflow the heap with arbitrary code. This bug allows a remote user to execute arbitrary code on the system.

The vendor credits Stefan Esser (e-matters) for reporting these flaws. The e-matters security advisory is available at:

Impact:   A remote user may be able to execute arbitrary code on the system with the privileges of the fetchmail daemon. In some configurations, this may be root privileges.
Solution:   Conectiva has released a fix.

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  6.0, 7.0, 8

Message History:   This archive entry is a follow-up to the message listed below.
Sep 24 2002 Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code

 Source Message Contents

Subject:  [conectiva-updates] [CLA-2002:531] Conectiva Linux Security Announcement - fetchmail

Hash: SHA1

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

PACKAGE   : fetchmail
SUMMARY   : Multidrop mode vulnerabilities
DATE      : 2002-10-16 13:05:00
ID        : CLA-2002:531
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

 Fetchmail is a popular mail retrieval and forwarding utility.
 Stefan Esser discovered[1] two vulnerabilities in fetchmail functions
 responsible for parsing message headers. These vulnerabilities are
 present in unpatched versions of fetchmail prior to 6.1.0 and can be
 exploited only if it is running in "multidrop" mode.
 The first one is a broken boundary check, which can be exploited by a
 remote attacker who is able to send a specially crafted DNS packet to
 the victim. This attack can crash fetchmail, thus causing a Denial of
 Service (DoS).
 The second one is a buffer overflow. A remote attacker can exploit it
 by sending a message with a specially crafted 'Received:' header
 inside it. By exploiting this the attacker can execute arbitrary code
 with the privileges of the user running fetchmail.

 All fetchmail users should upgrade.
 IMPORTANT: if fetchmail is running as a daemon, it will have to be
 restarted in order to run the new version.


 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at

- -------------------------------------------------------------------------
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC