Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow
From: debian-security-announce () lists debian org
Date: Tue, 24 Dec 2002 13:55:57 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 216-1                     security () debian org
http://www.debian.org/security/                             Martin Schulze
December 24th, 2002                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : fetchmail
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-1365 (confirmed)

Stefan Esser of e-matters discovered a buffer overflow in fetchmail,
an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder.  When
fetchmail retrieves a mail all headers that contain addresses are
searched for local addresses.  If a hostname is missing, fetchmail
appends it but doesn't reserve enough space for it.  This heap
overflow can be used by remote attackers to crash it or to execute
arbitrary code with the privileges of the user running fetchmail.

For the current stable distribution (woody) this problem has been
fixed in version 5.9.11-6.2 of fetchmail and fetchmail-ssl.

For the old stable distribution (potato) this problem has been fixed
in version 5.3.3-4.3.

For the current unstable distribution (sid) this problem has been
fixed in version 6.2.0-1 of fetchmail and fetchmail-ssl.

We recommend that you upgrade your fetchmail packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.dsc
      Size/MD5 checksum:      566 a1903624c0ec3bd32511423932643072
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.diff.gz
      Size/MD5 checksum:    27949 ba53d0ca7f33019f8aa377359adf1212
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz
      Size/MD5 checksum:   755731 d2cffc4594ec2d36db6681b800f25e2a

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.3_all.deb
      Size/MD5 checksum:    63344 eeb78fb002b7cec35d21f782123638c5

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_alpha.deb
      Size/MD5 checksum:   371692 f59ce881bc67072165a43c935d1c555b

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_arm.deb
      Size/MD5 checksum:   349562 7f3512eed908f266268a5c92be1d2fd8

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_i386.deb
      Size/MD5 checksum:   342328 51380d2821f2837a7aaf3f14850fce83

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_m68k.deb
      Size/MD5 checksum:   336626 0fc917ae77fae36202be9db505de495e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_powerpc.deb
      Size/MD5 checksum:   350320 e3d5dbe15acefa05a6c7cbfdada1bf2a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_sparc.deb
      Size/MD5 checksum:   328084 1f5bc0689d1c1c86f81d022a53e9cff9


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.dsc
      Size/MD5 checksum:      712 7dd3621fe339460971cc328484b0e279
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.diff.gz
      Size/MD5 checksum:   300336 7503a6bbf5020b118c0061586e16822a
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
      Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.dsc
      Size/MD5 checksum:      707 69a8e2fa290af062b9740943d26df507
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.diff.gz
      Size/MD5 checksum:   296112 e4ecdeddc8bffa9a54f386ab449485fe
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz
      Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.2_all.deb
      Size/MD5 checksum:   165338 fd022003903f569d077e36faf5ad2a21
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.2_all.deb
      Size/MD5 checksum:    92680 259860a2bcf5ec0376e899a4bac606c5

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_alpha.deb
      Size/MD5 checksum:   307102 5fd453636e5bd8613abc7aa237585fe7
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_alpha.deb
      Size/MD5 checksum:   309976 952fa90b23a9cfc6924eae2f1408c54c

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_arm.deb
      Size/MD5 checksum:   290732 9bdae78eabf81f3abd9f06ff809b4515
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_arm.deb
      Size/MD5 checksum:   296660 cb0b113ef7df375b3ffd310a1012f3ce

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_i386.deb
      Size/MD5 checksum:   286470 f18703ec4f6a78310321055fcf83c4c8
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_i386.deb
      Size/MD5 checksum:   291960 2649fd5b6238851a29e8a787f462ee7e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_ia64.deb
      Size/MD5 checksum:   329940 a504adb23f4b454ef367209e1040abcb
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_ia64.deb
      Size/MD5 checksum:   333976 144c1df5d7c723c7d6bd5e43f592b48b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_hppa.deb
      Size/MD5 checksum:   299074 166df103ddb481f7765fdf748afd94a7
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_hppa.deb
      Size/MD5 checksum:   301932 bebfca5047e0cbc6b29153643badc969

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_m68k.deb
      Size/MD5 checksum:   281204 f04e277cf71fc0cddd091fc605ef4036
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_m68k.deb
      Size/MD5 checksum:   286402 6ce360b059551b495414e1beb02b67a3

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mips.deb
      Size/MD5 checksum:   296502 d4dce762db683352d353e47abe050e13
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mips.deb
      Size/MD5 checksum:   301044 2c684dbc2dba6f5cc8c1de6e6f705ff8

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mipsel.deb
      Size/MD5 checksum:   295990 0d05ae19ca00996e83eaff5ace4bceb5
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mipsel.deb
      Size/MD5 checksum:   300566 64af54cf6b0e3f531d0219a22eb1dd8a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_powerpc.deb
      Size/MD5 checksum:   291608 68ff481887635a4ce1243d1900c02998
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_powerpc.deb
      Size/MD5 checksum:   297644 70ff4071e9680a10121819046d856e55

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_s390.deb
      Size/MD5 checksum:   288886 7b3fdb495abd4687d2e6829e7ffe0d9d
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_s390.deb
      Size/MD5 checksum:   294558 0699d986ee8f14d1c6ae3cfd1395206d

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_sparc.deb
      Size/MD5 checksum:   293406 f63f33a3530f7ba8506c35c3aa9c5e4b
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_sparc.deb
      Size/MD5 checksum:   298076 56d727fcf9a8cd3403454bb60bdd3b4d


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+CFldW5ql+IAeqTIRAmmPAJ9VT+c30qCero2+kp1vHq9lPZagmwCfRtOg
FdqQV1PtJ7ceHreqyR5imWo=
=637P
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow debian-security-announce (Dec 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]