Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Fetchmail-ssl memory overwrite

Fetchmail-ssl memory overwrite

by phiber on August 18th, 2001 While doing a routine security audit of the fetchmail package (named "fetchmail-ssl" in EnGarde), Salvatore Sanfilippo found two remotely exploitable bugs in both the imap and pop3 code. Lack of bounds checking may allow an attacker to write arbitrary data into memory.


The attacker must have control of the mail server the client (using fetchmail) is attempting to contact in order to exploit this vulnerability.


Solution


All users should upgrade to the most recent version.


Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage system software. EnGarde users can automatically update their system using the Guardian Digital WebTool secure interface.


If choosing to manually upgrade this package, updates can be obtained from:



ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

Before upgrading the package, the machine must either:

a) be booted into a "standard" kernel; or
b) have LIDS disabled.

To disable LIDS, execute the command:

# /sbin/lidsadm -S -- -LIDS_GLOBAL

To install the updated package, execute the command:

# rpm -Uvh

To re-enable LIDS (if it was disabled), execute the command:

# /sbin/lidsadm -S -- +LIDS_GLOBAL

To verify the signature of the updated packages, execute the command:

# rpm -Kv


Updated packages:

These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).


Source Packages:

SRPMS/fetchmail-ssl-5.8.17-1.0.3.src.rpm
MD5 Sum: 31f14d5c99dbfd6c61178e2e831362db

Binary Packages:
i386/fetchmail-ssl-5.8.17-1.0.3.i386.rpm
MD5 Sum: 244840700bfbb09078ff246791ae49a3

i686/fetchmail-ssl-5.8.17-1.0.3.i686.rpm
MD5 Sum: 03e5c25d5ba62f4370c1e234f1b3b5dd



Engarde Security Advisory ESA-20010816-01-fetchmail-ssl.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »