Date: Thu, 21 Jun 2001 17:07:38 -0400 (EDT)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20010620-01]: fetchmail-ssl buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 20, 2001 |
| http://www.engardelinux.org/ ESA-20010620-01 |
| |
| Package: fetchmail-ssl |
| Summary: There is a buffer overflow in the header handling code of |
| the fetchmail-ssl package. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a buffer overflow vulnerability in the fetchmail-ssl package
which could potentially be exploited remotely, although no exploit is
known of at this time.
DETAIL
- ------
There is a buffer overflow in the header parsing code of fetchmail
(rfc882.c) which caused fetchmail to die with a segmentation fault
when it encountered a message with a large "To:" header.
This bug could be exploited remotely and, if fetchmail is being run
as root, could allow the attacker to obtain root privileges. No
exploit is know of at this time but we highly recommend all users
update nevertheless.
We have updated the package to version 5.8.7 to fix this problem.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/fetchmail-ssl-5.8.7-1.0.2.src.rpm
MD5 Sum: a3fbe418903aaee80c4d7f68b246bd3b
Binary Packages:
i386/fetchmail-ssl-5.8.7-1.0.2.i386.rpm
MD5 Sum: fc034811543e4aa5ad913bfa444f7e7f
i686/fetchmail-ssl-5.8.7-1.0.2.i686.rpm
MD5 Sum: dcb18d42dd572432ddb60bd917e2418d
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Wolfram Kleff <[email protected]>
fetchmail's Official Web Site:
http://www.tuxedo.org/~esr/fetchmail/index.html
Original disclosure of this bug:
http://bugs.debian.org/100394
- --------------------------------------------------------------------------
$Id: ESA-20010620-01-fetchmail-ssl,v 1.2 2001/06/20 18:51:11 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7MmIiHD5cqd57fu0RArc7AJsGfdqJYOtAiAw2NG4f03FFk/QEtgCfe6d+
Lrl2lQlTAJWJ+PKUhmp9xYg=
=KhJe
-----END PGP SIGNATURE-----
