[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] remotely-exploitable vulnerability in fetchmail



Topic
=====
remotely-exploitable vulnerability in fetchmail client

Problem Description
===================
When retrieving mail from an IMAP server, the fetchmail e-mail client will
allocate an array to store the sizes of the messages which
it will attempt to fetch. The size of the array is determined by the
number of messages that the server claims to have. Unpatched versions of
fetchmail prior to 5.9.10 did not check whether the number of e-mails the
server claimed was too high, allowing a malicious server to cause the
fetchmail process to write data outside of the array bounds.

Affected Systems
================
Systems that use fetchmail versions 5.9.10 and earlier.

Solution
========
Upgrade to fetchmail 5.9.11 (or patched version for your distribution)

RedHat 6.x
----------
rpm -Fvh fetchmail-5.9.0-9.i386.rpm fetchmailconf-5.9.0-9.i386.rpm

RedHat 7.0, 7.1
---------------
rpm -Fvh fetchmail-5.9.0-10.i386.rpm fetchmailconf-5.9.0-10.i386.rpm

RedHat 7.2, 7.3
---------------
rpm -Fvh fetchmail-5.9.0-11.i386.rpm fetchmailconf-5.9.0-11.i386.rpm