GLSA 200403-10: Fetchmail 6.2.5 fixes a remote DoS

Severity:	normal
Title:	Fetchmail 6.2.5 fixes a remote DoS
Date:	03/30/2004
Bugs:	#37717
ID:	200403-10

Synopsis

Fetchmail versions 6.2.4 and earlier can be crashed by sending a specially-crafted email to a fetchmail user.

Background

Fetchmail is a utility that retrieves and forwards mail from remote systems using IMAP, POP, and other protocols.

Affected packages

Package	Vulnerable	Unaffected	Architecture(s)
net-mail/fetchmail	<= 6.2.4	>= 6.2.5	All supported architectures

Description

Fetchmail versions 6.2.4 and earlier can be crashed by sending a specially-crafted email to a fetchmail user. This problem occurs because Fetchmail does not properly allocate memory for long lines in an incoming email.

Impact

Fetchmail users who receive a malicious email may have their fetchmail program crash.

Workaround

While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of fetchmail.

Resolution

Fetchmail users should upgrade to version 6.2.5 or later:

    # emerge sync
    # emerge -pv ">=net-mail/fetchmail-6.2.5"
    # emerge ">=net-mail/fetchmail-6.2.5"

References

• ISS X-Force Listing
• CVE Candidate (CAN-2003-0792)

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200403-10.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.