SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   Raymond, Eric S.
(Apple Issues Fix) Fetchmail Can Be Crashed By Remote Users Sending a Specially Crafted E-mail Message
SecurityTracker Alert ID:  1008535
SecurityTracker URL:  http://securitytracker.com/id/1008535
CVE Reference:   CVE-2003-0792   (Links to External Site)
Updated:  Feb 21 2004
Original Entry Date:  Dec 20 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.2.4
Description:   A denial of service vulnerability was reported in fetchmail in the processing of long lines. A remote user can cause fetchmail to crash.

It is reported that a remote user can create a specially crafted email message to cause fetchmail to crash. Reports indicate that fetchmail does not properly allocate memory when processing long lines.

No further details were provided.

Impact:   A remote user can cause fetchmail to crash.
Solution:   Apple has released a fix for Jaguar. Security Update 2003-12-19 for Jaguar is available at:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120291
The download file is named: "SecurityUpd2003-12-19Jag.dmg"
Its SHA-1 digest is: b0c5d1ef54020db7580798fddd7a1e132e653896

Vendor URL:  catb.org/~esr/fetchmail/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.2.8

Message History:   This archive entry is a follow-up to the message listed below.
Oct 17 2003 Fetchmail Can Be Crashed By Remote Users Sending E-mail With Long Lines



 Source Message Contents

Subject:  APPLE-SA-2003-12-19 Security Update for Jaguar


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-12-19 Security Update 2003-12-19 for Jaguar

Security Update 2003-12-19 for Jaguar is available for Mac OS X 10.2.8
    and Mac OS X Server 10.2.8.

It contains security enhancements for the following:

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of
    malformed requests.

cd9660.util:  Fixes CAN-2003-1006, a buffer overflow vulnerability in
    the filesystem utility cd9660.util.
    Credit to KF of Secure Network Operations for reporting this issue.

Directory Services:  Fixes CAN-2003-1009.  The default settings are
    changed to prevent an inadvertent connection in the event of a
    malicious DHCP server on the computer's local subnet.  Further
    information is provided in Apple's Knowledge Base article:
    http://docs.info.apple.com/article.html?artnum=32478
    Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
    improve its stability when receiving malformed messages.

fs_usage:  Fixes CAN-2003-1010. The fs_usage tool has been improved to
    prevent a local privilege escalation vulnerability.  This tool is
    used to collect system performance information and requires admin
    privileges to run.
    Credit to Dave G. of @stake for reporting this issue.

rsync:  Fixes CAN-2003-0962 by improving the security of the rsync
    server.

System initialization:  Fixes CAN-2003-1011. The system initialization
    process has been improved to restrict root access on a system that
    uses a USB keyboard.

Note:  The following fixes which appear in "Security Update 2003-12-19
    for Panther" are not included in "Security Update 2003-12-19 for
    Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server
    are not vulnerable to these issues:
       -  CAN-2003-1005:  ASN.1 Decoding for PKI
       -  CAN-2003-1008:  Screen Saver text clippings

================================================

Security Update 2003-12-19 for Jaguar may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
    http://www.info.apple.com/kbnum/n120291
    The download file is named: "SecurityUpd2003-12-19Jag.dmg"
    Its SHA-1 digest is: b0c5d1ef54020db7580798fddd7a1e132e653896
    
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP+RshHeI0z6bzFr0AQJJhAgAtSkJrSfWVR/AxPsJ1CXOpKNoZuOvdems
6elRfBkuSLK9ETauqKKvJcZa/Wf2D+Mzusz+BYpmDHKAXWIhqcjPjSFJjeHzri8/
/ienm69poqa7Miu+ow6KKsvVsniO8DeAjw7FkFnD8SmvKrkKvbvQVLh0WEHPPB9Y
5lepyEuzsaB8DWOl2DwuDN+0HWgGWrSPSV1hY/VX4HJQPD0ibqqkEcs6tf82kglN
E3s/vFWNkDzkCt2awf3l7vtgV4EZV4Xnaylkzq5b0rLSc3q0gXfHjlB1Ujubx06w
NrecGLBggzYvl9CPisDADXjt/gJhmi76OktRytg6QRDlEZf/OuPMkA==
=kTh7
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC