Security Information / 2002 / Security Information -- DSA-171-1 fetchmail

Debian Security Advisory

DSA-171-1 fetchmail -- buffer overflows

Date Reported:

07 Oct 2002

Affected Packages:

fetchmail, fetchmail-ssl

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 5825, BugTraq ID 5826, BugTraq ID 5827.
In Mitre's CVE dictionary: CVE-2002-1175, CVE-2002-1174.

More information:

Stefan Esser discovered several buffer overflows and a broken boundary check within fetchmail. If fetchmail is running in multidrop mode these flaws can be used by remote attackers to crash it or to execute arbitrary code under the user id of the user running fetchmail. Depending on the configuration this even allows a remote root compromise.

These problems have been fixed in version 5.9.11-6.1 for both fetchmail and fetchmail-ssl for the current stable distribution (woody), in version 5.3.3-4.2 for fetchmail for the old stable distribution (potato) and in version 6.1.0-1 for both fetchmail and fetchmail-ssl for the unstable distribution (sid). There are no fetchmail-ssl packages for the old stable distribution (potato) and thus no updates.

We recommend that you upgrade your fetchmail packages immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.dsc

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.diff.gz

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.2_all.deb

Alpha:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_i386.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_m68k.deb

PowerPC:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_powerpc.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.dsc

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.diff.gz

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.dsc

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.diff.gz

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.1_all.deb

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.1_all.deb

Alpha:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_alpha.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_arm.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_i386.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_ia64.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_ia64.deb

HP Precision:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_hppa.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_m68k.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mips.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mipsel.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_powerpc.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_s390.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_sparc.deb

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.