1 fetchmail-SA-2005-03: security announcement
3 Topics: #1 crash retrieving headerless message in multidrop mode
4 #2 fetchmail 6.2.5.X end of life
6 Author: Matthias Andree
9 Type: null pointer dereference
10 Impact: fetchmail crashes
12 Credits: Daniel Drake, Gentoo (bug report)
13 Sunil Shetye (bug fix)
14 CVE Name: CVE-2005-4348
15 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
16 http://article.gmane.org/gmane.mail.fetchmail.user/7573
17 http://bugs.debian.org/343836
18 Project URL: http://fetchmail.berlios.de/
20 Affects: fetchmail version 6.2.5.4
21 fetchmail version 6.3.0
23 Not affected: fetchmail 6.3.1
25 other versions not mentioned here or in the previous
26 sections have not been checked
28 Corrected: 2005-12-19 - released fetchmail 6.3.1
29 2005-12-18 - released fetchmail 6.3.1-rc1
30 2005-12-19 - released fetchmail 6.2.5.5
36 2005-12-19 1.00 - initial version
42 fetchmail is a software package to retrieve mail from remote POP2, POP3,
43 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
44 message delivery agents.
46 fetchmail ships with a graphical, Python/Tkinter based configuration
47 utility named "fetchmailconf" to help the user create configuration (run
48 control) files for fetchmail.
51 2. Problem description and Impact
52 =================================
54 Fetchmail contains a bug that causes an application crash when fetchmail
55 is configured for multidrop mode and the upstream mail server sends a
56 message without headers. As fetchmail does not record this message as
57 "previously fetched", it will crash with the same message if it is
58 re-executed, so it cannot make progress. A malicious or broken-into
59 upstream server could thus cause a denial of service in fetchmail
62 Note that such messages are not RFC-822 conformant, so if the server has
63 not been tampered with, the server software is faulty.
69 Where possible, singledrop mode may be an alternative.
71 For sites, where multidrop mode is required, no workaround is known.
77 Download and install fetchmail 6.3.1 or a newer stable release from
78 fetchmail's project site at
79 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
81 The fix has also been backported to the 6.2.5.5 legacy release which is
82 available from the same site.
84 Note however that 6.3.X has very few incompatible changes since 6.2.5.X
85 so 6.3.X should be viable for most sites. It is therefore recommended
86 that every user and distributor upgrade to 6.3.1 or newer.
89 5. End of life announcement
90 ===========================
92 The fetchmail 6.2.5.X branch will be discontinued early in 2006.
94 The new 6.3.X stable branch has been available since 2005-11-30
95 and will not change except for bugfixes, documentation and translations.
98 A. Copyright, License and Warranty
99 ==================================
101 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
102 Some rights reserved.
104 This work is licensed under the Creative Commons
105 Attribution-NonCommercial-NoDerivs German License. To view a copy of
106 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
107 or send a letter to Creative Commons; 559 Nathan Abbott Way;
108 Stanford, California 94305; USA.
110 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
111 Use the information herein at your own risk.
113 END OF fetchmail-SA-2005-03.txt