Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Raymond, Eric S.
(Apple Issues Fix) Fetchmail Can Be Crashed By Remote Users Sending a Specially Crafted E-mail Message
SecurityTracker Alert ID:  1008527
SecurityTracker URL:
CVE Reference:   CVE-2003-0792   (Links to External Site)
Updated:  Feb 21 2004
Original Entry Date:  Dec 20 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.2.4
Description:   A denial of service vulnerability was reported in fetchmail in the processing of long lines. A remote user can cause fetchmail to crash.

It is reported that a remote user can create a specially crafted email message to cause fetchmail to crash. Reports indicate that fetchmail does not properly allocate memory when processing long lines.

No further details were provided.

Impact:   A remote user can cause fetchmail to crash.
Solution:   Apple has released a fix as part of Security Update 2003-12-19 for Panther, available at:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:
The download file is named: "SecurityUpd2003-12-19.dmg"
Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8

Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.3.2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 17 2003 Fetchmail Can Be Crashed By Remote Users Sending E-mail With Long Lines

 Source Message Contents

Subject:  APPLE-SA-2003-12-19 Security Update for Panther

Hash: SHA1

APPLE-SA-2003-12-19 Security Update 2003-12-19 for Panther

Security Update 2003-12-19 for Panther is available for
    Mac OS X 10.3.2 and Mac OS X Server 10.3.2.

It contains security enhancements for the following:

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of
    malformed requests.

ASN.1 Decoding for PKI:  Fixes CAN-2003-1005 which could cause a
    potential denial of service when receiving malformed ASN.1
    sequences.  This is related but separate from CAN-2003-0851.

cd9660.util:  Fixes CAN-2003-1006, a buffer overflow vulnerability in
    the filesystem utility cd9660.util.
    Credit to KF of Secure Network Operations for reporting this issue.

Directory Services:  Fixes CAN-2003-1009.  The default settings are
    changed to prevent an inadvertent connection in the event of a
    malicious DHCP server on the computer's local subnet.  Further
    information is provided in Apple's Knowledge Base article:
    Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
    improve its stability when receiving malformed messages.

fs_usage:  Fixes CAN-2003-1010. The fs_usage tool has been improved to
    prevent a local privilege escalation vulnerability.  This tool is
    used to collect system performance information and requires admin
    privileges to run.
    Credit to Dave G. of @stake for reporting this issue.

rsync:  Fixes CAN-2003-0962 by improving the security of the rsync
Screen Saver:  Fixes CAN-2003-1008.  When the Screen Saver login
    window is present, it is no longer possible to write a text
    clipping to the desktop or an application.
    Credit to Benjamin Kelly for reporting this issue.

System initialization:  Fixes CAN-2003-1011. The system initialization
    process has been improved to restrict root access on a system that
    uses a USB keyboard.


Security Update 2003-12-19 for Panther may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
    The download file is named: "SecurityUpd2003-12-19.dmg"
    Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8
Information will also be posted to the Apple Product Security web

This message is signed with Apple's Product Security PGP key, and
details are available at:

Version: PGP 8.0.2

security-announce mailing list |
Do not post admin requests to the list. They will be ignored.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC