+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2007-02: Crash when a local warning message is rejected
Topics: Crash when a fetchmail-generated warning message is rejected
Credits: Earl Chew
CVE Name: CVE-2007-4565
-URL: http://fetchmail.berlios.de/fetchmail-SA-2007-02.txt
-Project URL: http://fetchmail.berlios.de/
+URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
+Project URL: http://www.fetchmail.info/
Affects: fetchmail release < 6.3.9 exclusively
is restarted.
Risk assessment: low. In default configuration, fetchmail will talk
-through the loopback interface, that is to the SMTP listener on the same
+through the loopback interface, that means to the SMTP server on the same
computer as it is running on. Otherwise, it will commonly be configured
-to talk to trusted SMTP servers, so a compromise of misconfiguration of
+to talk to trusted SMTP servers, so a compromise or misconfiguration of
a trusted or the same computer is required to exploit this problem -
which usually opens up much easier ways of denying service, or worse.
Index: sink.c
===================================================================
---- sink.c (revision 5118)
+- --- sink.c (revision 5118)
+++ sink.c (revision 5119)
@@ -262,7 +262,7 @@
const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
/* don't bounce in reply to undeliverable bounces */
-- if (!msg->return_path[0] ||
+- - if (!msg->return_path[0] ||
+ if (!msg || !msg->return_path[0] ||
strcmp(msg->return_path, "<>") == 0 ||
strcasecmp(msg->return_path, md1) == 0 ||
strncasecmp(msg->return_path, md2, strlen(md2)) == 0)
END OF fetchmail-SA-2007-02.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+iD8DBQFIV7WXvmGDOQUufZURAr8+AKC7GpAFvCTaHD69n+g39lWtPIheCwCglj/O
+yh3P8bOmEn3a54h4aH2BFLA=
+=NBQZ
+-----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blobdiff