SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   fetchmail.berlios.de
Fetchmail Buffer Overflow in Processing POP3 UID Values Lets Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1014564
SecurityTracker URL:  http://securitytracker.com/id/1014564
CVE Reference:   CVE-2005-2335   (Links to External Site)
Date:  Jul 24 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.2.5.1 and prior versions
Description:   A vulnerability was reported in Fetchmail. A remote POP3 mail server can execute arbitrary code on a connected system.

A remote POP3 server can supply a specially crafted UID value (from the UIDL) to a connected fetchmail client to trigger a stack overflow and execute arbitrary code. The code will run with the privileges of the fetchmail process. All POP3-based methods are affected.

In version 6.2.5.1, a remote server can trigger a null pointer dereference and cause the connected client to crash.

The vendor indicates that version 6.2.5.1 is only susceptible to denial of service attacks via this vulnerability.

The original advisory is available at:

http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt/

Edward J. Shornock discovered this vulnerability.

Impact:   A remote POP3 server can execute arbitrary code on a connected fetchmail client. The code will run with the privileges of the fetchmail process.
Solution:   The vendor has issued a fixed version (6.2.5.2 and 6.2.6-pre7). The future version 6.3.0 will also contain the fix.

Updated versions are available at:

http://developer.berlios.de/project/showfiles.php?group_id=1824

Vendor URL:  fetchmail.berlios.de/fetchmail-SA-2005-01.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 26 2005 (Red Hat Issues Fix) Fetchmail Buffer Overflow in Processing POP3 UID Values Lets Remote Servers Execute Arbitrary Code
Red Hat has released a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC