OpenBSD VuXML: Documenting security issues in the OpenBSD Ports & Packages Collection

fetchmail -- remote code injection vulnerability

Affected packages
fetchmail < 6.2.5.2

Details

VuXML ID aee27100-fcf2-11d9-b3c7-00065bd5b0b6
Discovery 2005-07-20
Entry 2005-07-25

fetchmail's POP3/UIDL code does not truncate received UIDs properly. A malicious or compromised POP3 server can thus corrupt fetchmail's stack and inject code when fetchmail is using UIDL, either through configuration, or as a result of certain server capabilities. Note that fetchmail is run as root on some sites, so an attack might compromise the root account and thus the whole machine.

References

CVE Name CAN-2005-2335
URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
URL http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt

Copyright © 2003-2005 Jacques Vidrine, Robert Nagy, and contributors.
Please see the source of this document for full copyright information.