1 fetchmail-SA-2006-03: crash when refusing message delivered through MDA
3 Topics: fetchmail crashes when refusing a message bound for an MDA
5 Author: Matthias Andree
8 Type: denial of service
9 Impact: fetchmail aborts prematurely
11 Credits: Neil Hoggarth (bug report and analysis)
12 CVE Name: CVE-2006-5974
13 URL: http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
14 Project URL: http://fetchmail.berlios.de/
16 Affects: fetchmail release = 6.3.5
17 fetchmail release candidates 6.3.6-rc1, -rc2
19 Not affected: fetchmail release 6.3.6
21 Corrected: 2006-11-14 fetchmail SVN
27 2006-11-19 - internal review draft
28 2007-01-04 1.0 ready for release
34 fetchmail is a software package to retrieve mail from remote POP2, POP3,
35 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
36 message delivery agents.
38 fetchmail ships with a graphical, Python/Tkinter based configuration
39 utility named "fetchmailconf" to help the user create configuration (run
40 control) files for fetchmail.
43 2. Problem description and Impact
44 =================================
46 Fetchmail 6.3.5 and early 6.3.6 release candidates, when delivering
47 messages to a message delivery agent by means of the "mda" option, can
48 crash (by passing a NULL pointer to ferror() and fflush()) when refusing
49 a message. SMTP and LMTP delivery modes aren't affected.
55 Avoid the mda option and ship to a local SMTP or LMTP server instead.
61 Download and install fetchmail 6.3.6 or a newer stable release from
62 fetchmail's project site at
63 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
67 A. Copyright, License and Warranty
68 ==================================
70 (C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
73 This work is licensed under the Creative Commons
74 Attribution-NonCommercial-NoDerivs German License. To view a copy of
75 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
76 or send a letter to Creative Commons; 559 Nathan Abbott Way;
77 Stanford, California 94305; USA.
79 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
80 Use the information herein at your own risk.
82 END OF fetchmail-SA-2006-03.txt