Date: Thu, 16 Aug 2001 09:35:38 -0400 (EDT)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20010816-01] fetchmail-ssl memory overwrite vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory August 16, 2001 |
| http://www.engardelinux.org/ ESA-20010816-01 |
| |
| Package: fetchmail-ssl |
| Summary: fetchmail-ssl contains a memory overwrite vulnerability. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a remotely exploitable memory overwrite vulnerability in the
fetchmail-ssl package. An exploit is known to exist.
DETAIL
- ------
While doing a routine security audit of the fetchmail package (named
"fetchmail-ssl" in EnGarde), Salvatore Sanfilippo found two remotely
exploitable bugs in both the imap and pop3 code. Lack of bounds
checking may allow an attacker to write arbitrary data into memory.
The attacker must have control of the mail server the client (using
fetchmail) is attempting to contact in order to exploit this
vulnerability.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory.
Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface.
If choosing to manually upgrade this package, updates can be
obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/fetchmail-ssl-5.8.17-1.0.3.src.rpm
MD5 Sum: 31f14d5c99dbfd6c61178e2e831362db
Binary Packages:
i386/fetchmail-ssl-5.8.17-1.0.3.i386.rpm
MD5 Sum: 244840700bfbb09078ff246791ae49a3
i686/fetchmail-ssl-5.8.17-1.0.3.i686.rpm
MD5 Sum: 03e5c25d5ba62f4370c1e234f1b3b5dd
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Salvatore Sanfilippo <[email protected]>
fetchmail's Official Web Site:
http://www.tuxedo.org/~esr/fetchmail/
Security Contact: [email protected]
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20010816-01-fetchmail-ssl,v 1.1 2001/08/16 13:12:17 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7e8wyHD5cqd57fu0RAqVmAJ92qE77h61fV4u7+3D6YdTCUn3J1wCfccHM
KqsFrab9TpqjGEHYi7HwCFs=
=/VtX
-----END PGP SIGNATURE-----
