SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Raymond, Eric S.
(Apple Issues Fix) Fetchmail Can Be Crashed By Remote Users Sending a Specially Crafted E-mail Message
SecurityTracker Alert ID:  1008527
SecurityTracker URL:  http://securitytracker.com/id/1008527
CVE Reference:   CVE-2003-0792   (Links to External Site)
Updated:  Feb 21 2004
Original Entry Date:  Dec 20 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.2.4
Description:   A denial of service vulnerability was reported in fetchmail in the processing of long lines. A remote user can cause fetchmail to crash.

It is reported that a remote user can create a specially crafted email message to cause fetchmail to crash. Reports indicate that fetchmail does not properly allocate memory when processing long lines.

No further details were provided.

Impact:   A remote user can cause fetchmail to crash.
Solution:   Apple has released a fix as part of Security Update 2003-12-19 for Panther, available at:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120292
The download file is named: "SecurityUpd2003-12-19.dmg"
Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8

Vendor URL:  catb.org/~esr/fetchmail/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.3.2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 17 2003 Fetchmail Can Be Crashed By Remote Users Sending E-mail With Long Lines



 Source Message Contents

Subject:  APPLE-SA-2003-12-19 Security Update for Panther


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-12-19 Security Update 2003-12-19 for Panther

Security Update 2003-12-19 for Panther is available for
    Mac OS X 10.3.2 and Mac OS X Server 10.3.2.

It contains security enhancements for the following:

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of
    malformed requests.

ASN.1 Decoding for PKI:  Fixes CAN-2003-1005 which could cause a
    potential denial of service when receiving malformed ASN.1
    sequences.  This is related but separate from CAN-2003-0851.

cd9660.util:  Fixes CAN-2003-1006, a buffer overflow vulnerability in
    the filesystem utility cd9660.util.
    Credit to KF of Secure Network Operations for reporting this issue.

Directory Services:  Fixes CAN-2003-1009.  The default settings are
    changed to prevent an inadvertent connection in the event of a
    malicious DHCP server on the computer's local subnet.  Further
    information is provided in Apple's Knowledge Base article:
    http://docs.info.apple.com/article.html?artnum=32478
    Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
    improve its stability when receiving malformed messages.

fs_usage:  Fixes CAN-2003-1010. The fs_usage tool has been improved to
    prevent a local privilege escalation vulnerability.  This tool is
    used to collect system performance information and requires admin
    privileges to run.
    Credit to Dave G. of @stake for reporting this issue.

rsync:  Fixes CAN-2003-0962 by improving the security of the rsync
    server.
    
Screen Saver:  Fixes CAN-2003-1008.  When the Screen Saver login
    window is present, it is no longer possible to write a text
    clipping to the desktop or an application.
    Credit to Benjamin Kelly for reporting this issue.

System initialization:  Fixes CAN-2003-1011. The system initialization
    process has been improved to restrict root access on a system that
    uses a USB keyboard.

================================================

Security Update 2003-12-19 for Panther may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
    http://www.info.apple.com/kbnum/n120292
    The download file is named: "SecurityUpd2003-12-19.dmg"
    Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8
    
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP+Rsp3eI0z6bzFr0AQI/MwgAqqUXmeRPg2xLQlbGiK15uDhgrcOuE27V
5fi8IvkiAWMN/qjJofG3y+crtmZwTea0Z8qvcw8EcbMRtuhqzyCu43HFTE8wFJ4w
FqmwihZQANu8IHye9tgl36CiPJvY3bYWPxd3GobAQKZp81/OIhY3H2aB79Oa3N3o
6lBPHInyLmRswlOa9s7v6wSJAK/9MXa7dwSLtaaFsVg7R8kfe4atZ0tAlc8rHAnS
k0sZq1z6hPeiXHRxFIeozwTr6P5QLZB/3YuRYLtgYudojOauV1/X4/ltsOb5Kdk/
HUdrNSZfoECPI78BecWblnsGG91Tgd20GIcTke06o0zWvZa2vXWJDg==
=3ZBF
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC