SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Fetchmail Vendors:   Raymond, Eric S.
(Immunix Issues Fix) Fetchmail Buffer Overflow in Processing Addresses Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1007974
SecurityTracker URL:  http://securitytracker.com/id/1007974
CVE Reference:   CVE-2002-1365   (Links to External Site)
Date:  Oct 21 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1.3 and prior versions
Description:   A buffer overflow vulnerability was reported in Fetchmail. A remote user could execute arbitrary code on the system.

e-matters reported that a remote user can send an e-mail containing a specially crafted header to trigger a heap overflow in Fetchmail. This may cause the fetchmail service to crash, or could cause arbitrary code to be executed on the system.

The flaw is reportedly due to an incorrect buffer size calculation. According to the report, fetchmail allocates a buffer to contain addresses in an e-mail header. The local addresses in the header are then appended with an '@' character and the mail server hostname and stored in the buffer. The calculation reportedly fails to consider the '@' character in calculating the necessary buffer size. Fetchmail also reportedly processes too many addresses. The result is a potential heap overflow.

Impact:   A remote user can execute arbitrary code on the target system. This can occur when the target system's fetchmail process downloads a malicious e-mail message. The code will run with the privileges of the fetchmail process.
Solution:   Immunix has released a fix.

Precompiled binary packages for Immunix 7+ are available at:

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmail-5.9.0-10_imnx_1.i386.rpm

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmailconf-5.9.0-10_imnx_1.i386.rpm

A source package for Immunix 7+ is available at:

http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fetchmail-5.9.0-10_imnx_1.src.rpm

The Immunix OS 7+ md5sums are:

fb8091d8401059cdc1e7f44efb2f8d5f RPMS/fetchmail-5.9.0-10_imnx_1.i386.rpm
b70e0a1cbd01c40a51496218d14b26f1 RPMS/fetchmailconf-5.9.0-10_imnx_1.i386.rpm
ff1fda573b367c2ac5f81e2c4b3f2d74 SRPMS/fetchmail-5.9.0-10_imnx_1.src.rpm

Vendor URL:  www.tuxedo.org/~esr/fetchmail/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Immunix)
Underlying OS Comments:  7+

Message History:   This archive entry is a follow-up to the message listed below.
Dec 13 2002 Fetchmail Buffer Overflow in Processing Addresses Lets Remote Users Execute Arbitrary Code on the System



 Source Message Contents

Subject:  [Immunix-announce] Immunix Secured OS 7+ fetchmail update



--===============68647922978951392==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="r/w8vo2lxBmCPGjQ"
Content-Disposition: inline


--r/w8vo2lxBmCPGjQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	fetchmail, fetchmailconf
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2002-1365, CAN-2003-0792, CAN-2003-0790
Date:			Fri Oct 17 2003
Advisory ID:		IMNX-2003-7+-023-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  This update fixes several bugs in fetchmail, including a broken
  boundary condition check in the multidrop code, a header overflow that
  neglected to account for '@' signs in email addresses (CAN-2002-1365),
  a header-rewriting bug (CAN-2003-0792), and a head-reading bug
  (CAN-2003-0790; this CAN is likely to be revoked, but the patch appears
  to be nicely defensive).

  Immunix would like to thank Stefan Esser, Dave Jones, Markus Friedl,
  Nalin Dahyabhai, Mark J Cox, and Eric S. Raymond for diagnosing and
  fixing the problems.

  It is unknown if any of these problems lead to more than a Denial of
  Service attack. We do not believe StackGuard provides protection for
  any of the bugs addressed here.

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmail-5.9.0-10_=
imnx_1.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmailconf-5.9.0=
-10_imnx_1.i386.rpm

  A source package for Immunix 7+ is available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fetchmail-5.9.0-10=
_imnx_1.src.rpm

Immunix OS 7+ md5sums:
  fb8091d8401059cdc1e7f44efb2f8d5f RPMS/fetchmail-5.9.0-10_imnx_1.i386.rpm
  b70e0a1cbd01c40a51496218d14b26f1 RPMS/fetchmailconf-5.9.0-10_imnx_1.i386.=
rpm
  ff1fda573b367c2ac5f81e2c4b3f2d74 SRPMS/fetchmail-5.9.0-10_imnx_1.src.rpm


GPG verification:                                                          =
    =20
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

--r/w8vo2lxBmCPGjQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/lFkhn5I6Lxt0VtoRAs6pAJoCLh5wzYeROya3TQxCBDH9tMIsFwCeK0Z/
CsQOv2zs+oXveiutJZ8RjIo=
=DUt5
-----END PGP SIGNATURE-----

--r/w8vo2lxBmCPGjQ--

--===============68647922978951392==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce

--===============68647922978951392==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC