Debians sikkerhedsbulletin

DSA-171-1 fetchmail -- bufferoverløb

Rapporteret den:
7. okt 2002
Berørte pakker:
fetchmail, fetchmail-ssl
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5825, BugTraq-id 5826, BugTraq-id 5827.
I Mitres CVE-ordbog: CVE-2002-1175, CVE-2002-1174.
Yderligere oplysninger:

Stefan Esser har opdaget flere bufferoverløb og en ikke-fungerende grænsekontrol i fetchmail. Hvis fetchmail kører i "multidrop"-tilstand, kan disse fejl udnyttes af fjernangribere til at få programmet til at gå end, eller til at udføre vilkårlig kode under den brugerid hørende til den bruger som kører fetchmail. Afhængigt af opsætningen kan dette medfør en fjern-root-udnyttelse.

Disse problemer er rettet i version 5.9.11-6.1 i både fetchmail og fetchmail-ssl i den aktuelle stabile distribution (woody), i version 5.3.3-4.2 af fetchmail i den gamle stabile distribution (potato) og i version 6.1.0-1 af både fetchmail og fetchmail-ssl i den ustabile distribution (sid). Der er ingen fetchmail-ssl-pakker til den gamle stabile distribution (potato) og derfor ingen opdateringer.

Vi anbefaler at du omgående opgraderer dine fetchmail-pakker.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.dsc
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.diff.gz
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.dsc
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.diff.gz
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.dsc
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.diff.gz
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.1_all.deb
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_alpha.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_arm.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_i386.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_ia64.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_ia64.deb
HP Precision:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_hppa.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_m68k.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mips.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mipsel.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_powerpc.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_s390.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_sparc.deb
http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.