Date: Tue, 17 Dec 2002 17:24:17 +0100
From: OpenPKG <[email protected]>
To: [email protected]Subject: [OpenPKG-SA-2002.016] OpenPKG Security Advisory (fetchmail)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.htmlhttp://www.openpkg.org[email protected][email protected]
OpenPKG-SA-2002.016 17-Dec-2002
________________________________________________________________________
Package: fetchmail
Vulnerability: crashing or remote command execution
OpenPKG Specific: no
Dependent Packages: none
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= fetchmail-5.9.5-1.0.0 >= fetchmail-5.9.5-1.0.1
OpenPKG 1.1 <= fetchmail-5.9.13-1.1.0 >= fetchmail-5.9.13-1.1.1
OpenPKG CURRENT <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213
Description:
The e-matters security team has reaudited Fetchmail and discovered a
remote vulnerability [1] within the default install. Headers are
searched for local addresses to append a @ and the hostname of the
mailserver. The sizing of the buffer to store the modified addresses
is too short by one character per address. This vulnerability allows
crashing or remote code execution. Depending on the confiuration this
can lead to a remote root compromise.
Check whether you are affected by running "<prefix>/bin/rpm -q fetchmail".
If you have an affected version of the fetchmail package (see above),
please upgrade it according to the solution below.
Solution:
Update existing packages to newly patched versions of fetchmail. Select the
updated source RPM appropriate for your OpenPKG release [2][3][4], and
fetch it from the OpenPKG FTP service or a mirror location. Verify its
integrity [5], build a corresponding binary RPM from it and update your
OpenPKG installation by applying the binary RPM [6]. For the latest
OpenPKG 1.1 release, perform the following operations to permanently fix
the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get fetchmail-5.9.13-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm
________________________________________________________________________
References:
[1] http://security.e-matters.de/advisories/052002.html
[2] ftp://ftp.openpkg.org/release/1.0/UPD/
[3] ftp://ftp.openpkg.org/release/1.1/UPD/
[4] ftp://ftp.openpkg.org/current/SRC/
[5] http://www.openpkg.org/security.html#signature
[6] http://www.openpkg.org/tutorial.html#regular-source
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <[email protected]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[email protected]>
iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa
dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S
=BD0i
-----END PGP SIGNATURE-----
