[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] remotely-exploitable vulnerability in fetchmail

To: linux-security
Subject: [linux-security] remotely-exploitable vulnerability in fetchmail
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 27 May 2002 19:53:13 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
remotely-exploitable vulnerability in fetchmail client

Problem Description
===================
When retrieving mail from an IMAP server, the fetchmail e-mail client will
allocate an array to store the sizes of the messages which
it will attempt to fetch. The size of the array is determined by the
number of messages that the server claims to have. Unpatched versions of
fetchmail prior to 5.9.10 did not check whether the number of e-mails the
server claimed was too high, allowing a malicious server to cause the
fetchmail process to write data outside of the array bounds.

Affected Systems
================
Systems that use fetchmail versions 5.9.10 and earlier.

Solution
========
Upgrade to fetchmail 5.9.11 (or patched version for your distribution)

RedHat 6.x
----------
rpm -Fvh fetchmail-5.9.0-9.i386.rpm fetchmailconf-5.9.0-9.i386.rpm

RedHat 7.0, 7.1
---------------
rpm -Fvh fetchmail-5.9.0-10.i386.rpm fetchmailconf-5.9.0-10.i386.rpm

RedHat 7.2, 7.3
---------------
rpm -Fvh fetchmail-5.9.0-11.i386.rpm fetchmailconf-5.9.0-11.i386.rpm

Prev by Date: [linux-security] imapd buffer overflow
Next by Date: [linux-security] tcpdump buffer overflow
Prev by thread: [linux-security] tcpdump buffer overflow
Next by thread: [linux-security] imapd buffer overflow
Index(es):
- Date
- Thread