Australia's Leading Computer Emergency Response Team

ESB-2002.723 -- Debian Security Advisory DSA 216-1 -- New fetchmail packages fix buffer overflow
Date: 27 December 2002
Original URL: http://www.auscert.org.au/render.html?cid=1&it=2656
References: ESB-2002.558  

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2002.723 -- Debian Security Advisory DSA 216-1
                New fetchmail packages fix buffer overflow
                             27 December 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                fetchmail
                        fetchmail-ssl
Vendor:                 Debian
Operating System:       Debian GNU/Linux 2.2
                        Debian GNU/Linux 3.0
                        Linux
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote

Ref:                    ESB-2002.558

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 216-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
December 24th, 2002                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : fetchmail
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-1365 (confirmed)

Stefan Esser of e-matters discovered a buffer overflow in fetchmail,
an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder.  When
fetchmail retrieves a mail all headers that contain addresses are
searched for local addresses.  If a hostname is missing, fetchmail
appends it but doesn't reserve enough space for it.  This heap
overflow can be used by remote attackers to crash it or to execute
arbitrary code with the privileges of the user running fetchmail.

For the current stable distribution (woody) this problem has been
fixed in version 5.9.11-6.2 of fetchmail and fetchmail-ssl.

For the old stable distribution (potato) this problem has been fixed
in version 5.3.3-4.3.

For the current unstable distribution (sid) this problem has been
fixed in version 6.2.0-1 of fetchmail and fetchmail-ssl.

We recommend that you upgrade your fetchmail packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- - ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.dsc
      Size/MD5 checksum:      566 a1903624c0ec3bd32511423932643072
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.diff.gz
      Size/MD5 checksum:    27949 ba53d0ca7f33019f8aa377359adf1212
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz
      Size/MD5 checksum:   755731 d2cffc4594ec2d36db6681b800f25e2a

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.3_all.deb
      Size/MD5 checksum:    63344 eeb78fb002b7cec35d21f782123638c5

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_alpha.deb
      Size/MD5 checksum:   371692 f59ce881bc67072165a43c935d1c555b

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_arm.deb
      Size/MD5 checksum:   349562 7f3512eed908f266268a5c92be1d2fd8

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_i386.deb
      Size/MD5 checksum:   342328 51380d2821f2837a7aaf3f14850fce83

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_m68k.deb
      Size/MD5 checksum:   336626 0fc917ae77fae36202be9db505de495e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_powerpc.deb
      Size/MD5 checksum:   350320 e3d5dbe15acefa05a6c7cbfdada1bf2a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_sparc.deb
      Size/MD5 checksum:   328084 1f5bc0689d1c1c86f81d022a53e9cff9


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.dsc
      Size/MD5 checksum:      712 7dd3621fe339460971cc328484b0e279
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.diff.gz
      Size/MD5 checksum:   300336 7503a6bbf5020b118c0061586e16822a
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
      Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.dsc
      Size/MD5 checksum:      707 69a8e2fa290af062b9740943d26df507
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.diff.gz
      Size/MD5 checksum:   296112 e4ecdeddc8bffa9a54f386ab449485fe
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz
      Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.2_all.deb
      Size/MD5 checksum:   165338 fd022003903f569d077e36faf5ad2a21
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.2_all.deb
      Size/MD5 checksum:    92680 259860a2bcf5ec0376e899a4bac606c5

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_alpha.deb
      Size/MD5 checksum:   307102 5fd453636e5bd8613abc7aa237585fe7
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_alpha.deb
      Size/MD5 checksum:   309976 952fa90b23a9cfc6924eae2f1408c54c

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_arm.deb
      Size/MD5 checksum:   290732 9bdae78eabf81f3abd9f06ff809b4515
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_arm.deb
      Size/MD5 checksum:   296660 cb0b113ef7df375b3ffd310a1012f3ce

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_i386.deb
      Size/MD5 checksum:   286470 f18703ec4f6a78310321055fcf83c4c8
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_i386.deb
      Size/MD5 checksum:   291960 2649fd5b6238851a29e8a787f462ee7e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_ia64.deb
      Size/MD5 checksum:   329940 a504adb23f4b454ef367209e1040abcb
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_ia64.deb
      Size/MD5 checksum:   333976 144c1df5d7c723c7d6bd5e43f592b48b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_hppa.deb
      Size/MD5 checksum:   299074 166df103ddb481f7765fdf748afd94a7
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_hppa.deb
      Size/MD5 checksum:   301932 bebfca5047e0cbc6b29153643badc969

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_m68k.deb
      Size/MD5 checksum:   281204 f04e277cf71fc0cddd091fc605ef4036
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_m68k.deb
      Size/MD5 checksum:   286402 6ce360b059551b495414e1beb02b67a3

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mips.deb
      Size/MD5 checksum:   296502 d4dce762db683352d353e47abe050e13
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mips.deb
      Size/MD5 checksum:   301044 2c684dbc2dba6f5cc8c1de6e6f705ff8

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_mipsel.deb
      Size/MD5 checksum:   295990 0d05ae19ca00996e83eaff5ace4bceb5
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_mipsel.deb
      Size/MD5 checksum:   300566 64af54cf6b0e3f531d0219a22eb1dd8a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_powerpc.deb
      Size/MD5 checksum:   291608 68ff481887635a4ce1243d1900c02998
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_powerpc.deb
      Size/MD5 checksum:   297644 70ff4071e9680a10121819046d856e55

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_s390.deb
      Size/MD5 checksum:   288886 7b3fdb495abd4687d2e6829e7ffe0d9d
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_s390.deb
      Size/MD5 checksum:   294558 0699d986ee8f14d1c6ae3cfd1395206d

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2_sparc.deb
      Size/MD5 checksum:   293406 f63f33a3530f7ba8506c35c3aa9c5e4b
    http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2_sparc.deb
      Size/MD5 checksum:   298076 56d727fcf9a8cd3403454bb60bdd3b4d


  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+CFldW5ql+IAeqTIRAmmPAJ9VT+c30qCero2+kp1vHq9lPZagmwCfRtOg
FdqQV1PtJ7ceHreqyR5imWo=
=637P
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPgxa3ih9+71yA2DNAQFquwQAi6ePcT2h1PxzvPg19+boeT5D+3lv7bi7
XlOITBHoRXxeMyPN50hzUTTogmiiTnntsRJayPRVv7RTPk4fgc+T5TDyuAGi4/Du
gOuBgNivuinwOxHWuRrF9sJIvZrNwdJG3UWSPdiwEH4G2T58cAeOfQ9hI1MrhaCw
3Muf/MJ3qWM=
=TteT
-----END PGP SIGNATURE-----