AOH :: HP Unsorted F :: C07-1688.HTM

fetchmail security announcement 2006-03 (CVE-2006-5974)



fetchmail security announcement 2006-03 (CVE-2006-5974)
fetchmail security announcement 2006-03 (CVE-2006-5974)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2006-03: crash when refusing message delivered through MDA

Topics:		fetchmail crashes when refusing a message bound for an MDA

Author:		Matthias Andree
Version:	1.0
Announced:	2007-01-04
Type:		denial of service
Impact:		fetchmail aborts prematurely
Danger:		low
Credits:	Neil Hoggarth (bug report and analysis)
CVE Name:	CVE-2006-5974
URL:		http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt 
Project URL:	http://fetchmail.berlios.de/ 

Affects:	fetchmail release = 6.3.5
		fetchmail release candidates 6.3.6-rc1, -rc2

Not affected:	fetchmail release 6.3.6

Corrected:	2006-11-14 fetchmail SVN


0. Release history
=================
2006-11-19 -	internal review draft
2007-01-04 1.0	 ready for release


1. Background
============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
================================
Fetchmail 6.3.5 and early 6.3.6 release candidates, when delivering
messages to a message delivery agent by means of the "mda" option, can
crash (by passing a NULL pointer to ferror() and fflush()) when refusing
a message. SMTP and LMTP delivery modes aren't affected.


3. Workaround
============
Avoid the mda option and ship to a local SMTP or LMTP server instead.


4. Solution
==========
Download and install fetchmail 6.3.6 or a newer stable release from
fetchmail's project site at
. 



A. Copyright, License and Warranty
=================================
(C) Copyright 2007 by Matthias Andree, . 
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ 
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2006-03.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFntntvmGDOQUufZURAicZAKCg2UcpAQ0Wot44RbXYLP082rEX5QCfUYxg
qPVbKSzqv4ZEgrimsGieYc8=JbTf
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.