• info
• discussion
• exploit
• solution
• references

Eric S. Raymond Fetchmail Multidrop Mode Email Header Parsing Heap Overflow Vulnerability

Solution:
Gentoo Linux has released an advisory. It is highly advised that users who have installed net-mail/fetchmai-0.59.14 and earlier update their systems by issuing the following commands:

emerge rsync
emerge fetchmail
emerge clean

Users of EnGarde Secure Linux are advised to upgrade vulnerable systems by installing the RPMs listed in the advisory. Further details can be found in the referenced advisory.

Conectiva has released an advisory. Fixes are available.

Sun has released an advisory. Sun Cobalt Qube 2.0, Qube 3.0 and Sun Linux 5.0 are vulnerable to this issue. Upgrade details are available in Sun Alert 47784.

Apple advises users to upgrade to MacOS X 10.2.3. Upgrades are available for MacOS X 10.2 and 10.2.2. Other versions may also be affected.

The vendor has released Fetchmail 6.1.0 which is not vulnerable to this issue. Users are advised to upgrade to the newest version of Fetchmail:


Sun Cobalt Qube 3

• Sun Qube3-All-Security-4.0.1-16169.pkg
  Cobalt Qube 3.
  http://sunsolve.sun.com/patches/cobalt/

Apple Mac OS X 10.2

• Apple MacOSXUpdateCombo10.2.3.dmg
  http://www.info.apple.com/kbnum/n120164

Apple Mac OS X 10.2.2

• Apple MacOSXUpdate10.2.3.dmg
  http://www.info.apple.com/kbnum/n120165

Eric Raymond Fetchmail 5.3.3

• Debian fetchmail_5.3.3-4.2_alpha.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_alpha.deb


• Debian fetchmail_5.3.3-4.2_arm.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_arm.deb


• Debian fetchmail_5.3.3-4.2_i386.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_i386.deb


• Debian fetchmail_5.3.3-4.2_m68k.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_m68k.deb


• Debian fetchmail_5.3.3-4.2_powerpc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_powerpc.deb


• Debian fetchmail_5.3.3-4.2_sparc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3 .3-4.2_sparc.deb


• Debian fetchmailconf_5.3.3-4.2_all.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf _5.3.3-4.2_all.deb

Eric Raymond Fetchmail 5.4 .0

• EnGarde Secure Linux fetchmail-ssl-6.1.0-1.0.5.i386.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/fetchmail-s sl-6.1.0-1.0.5.i386.rpm


• EnGarde Secure Linux fetchmail-ssl-6.1.0-1.0.5.i686.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/fetchmail-s sl-6.1.0-1.0.5.i686.rpm


• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.5

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.6

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.7

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.8 .0

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9 .0

• Red Hat fetchmail-5.9.0-18.alpha.rpm
  ftp://updates.redhat.com/6.2/en/os/alpha/fetchmail-5.9.0-18.alpha.rpm


• Red Hat fetchmail-5.9.0-18.i386.rpm
  ftp://updates.redhat.com/6.2/en/os/i386/fetchmail-5.9.0-18.i386.rpm


• Red Hat fetchmail-5.9.0-18.sparc.rpm
  ftp://updates.redhat.com/6.2/en/os/sparc/fetchmail-5.9.0-18.sparc.rpm


• Red Hat fetchmail-5.9.0-19.alpha.rpm
  ftp://updates.redhat.com/7.0/en/os/alpha/fetchmail-5.9.0-19.alpha.rpm


• Red Hat fetchmail-5.9.0-19.alpha.rpm
  ftp://updates.redhat.com/7.1/en/os/alpha/fetchmail-5.9.0-19.alpha.rpm


• Red Hat fetchmail-5.9.0-19.i386.rpm
  ftp://updates.redhat.com/7.0/en/os/i386/fetchmail-5.9.0-19.i386.rpm


• Red Hat fetchmail-5.9.0-19.i386.rpm
  ftp://updates.redhat.com/7.1/en/os/i386/fetchmail-5.9.0-19.i386.rpm


• Red Hat fetchmail-5.9.0-19.ia64.rpm
  ftp://updates.redhat.com/7.1/en/os/ia64/fetchmail-5.9.0-19.ia64.rpm


• Red Hat fetchmail-5.9.0-20.i386.rpm
  ftp://updates.redhat.com/7.2/en/os/i386/fetchmail-5.9.0-20.i386.rpm


• Red Hat fetchmail-5.9.0-20.i386.rpm
  ftp://updates.redhat.com/7.3/en/os/i386/fetchmail-5.9.0-20.i386.rpm


• Red Hat fetchmail-5.9.0-20.ia64.rpm
  ftp://updates.redhat.com/7.2/en/os/ia64/fetchmail-5.9.0-20.ia64.rpm


• Red Hat fetchmail-5.9.0-21.i386.rpm
  ftp://updates.redhat.com/8.0/en/os/i386/fetchmail-5.9.0-21.i386.rpm


• Red Hat fetchmailconf-5.9.0-18.alpha.rpm
  ftp://updates.redhat.com/6.2/en/os/alpha/fetchmailconf-5.9.0-18.alpha. rpm


• Red Hat fetchmailconf-5.9.0-18.i386.rpm
  ftp://updates.redhat.com/6.2/en/os/i386/fetchmailconf-5.9.0-18.i386.rp m


• Red Hat fetchmailconf-5.9.0-18.sparc.rpm
  ftp://updates.redhat.com/6.2/en/os/sparc/fetchmailconf-5.9.0-18.sparc. rpm


• Red Hat fetchmailconf-5.9.0-19.alpha.rpm
  ftp://updates.redhat.com/7.0/en/os/alpha/fetchmailconf-5.9.0-19.alpha. rpm


• Red Hat fetchmailconf-5.9.0-19.alpha.rpm
  ftp://updates.redhat.com/7.1/en/os/alpha/fetchmailconf-5.9.0-19.alpha. rpm


• Red Hat fetchmailconf-5.9.0-19.i386.rpm
  ftp://updates.redhat.com/7.0/en/os/i386/fetchmailconf-5.9.0-19.i386.rp m


• Red Hat fetchmailconf-5.9.0-19.i386.rpm
  ftp://updates.redhat.com/7.1/en/os/i386/fetchmailconf-5.9.0-19.i386.rp m


• Red Hat fetchmailconf-5.9.0-19.ia64.rpm
  ftp://updates.redhat.com/7.1/en/os/ia64/fetchmailconf-5.9.0-19.ia64.rp m


• Red Hat fetchmailconf-5.9.0-20.i386.rpm
  ftp://updates.redhat.com/7.2/en/os/i386/fetchmailconf-5.9.0-20.i386.rp m


• Red Hat fetchmailconf-5.9.0-20.i386.rpm
  ftp://updates.redhat.com/7.3/en/os/i386/fetchmailconf-5.9.0-20.i386.rp m


• Red Hat fetchmailconf-5.9.0-20.ia64.rpm
  ftp://updates.redhat.com/7.2/en/os/ia64/fetchmailconf-5.9.0-20.ia64.rp m


• Sun fetchmail-5.9.0-21.7.3.i386.rpm
  Sun Linux 5.0.
  http://sunsolve.sun.com/patches/linux/security.html


• Sun fetchmail-5.9.0-21.7.3.src.rpm
  Sun Linux 5.0.
  http://sunsolve.sun.com/patches/linux/security.html


• Sun fetchmailconf-5.9.0-21.7.3.i386.rpm
  Sun Linux 5.0.
  http://sunsolve.sun.com/patches/linux/security.html

Eric Raymond Fetchmail 5.9.10

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9.11

• Debian fetchmail-common_5.9.11-6.1_all.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-com mon_5.9.11-6.1_all.deb


• Debian fetchmail-ssl_5.9.11-6.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_alpha.deb


• Debian fetchmail-ssl_5.9.11-6.1_arm.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_arm.deb


• Debian fetchmail-ssl_5.9.11-6.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_hppa.deb


• Debian fetchmail-ssl_5.9.11-6.1_i386.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_i386.deb


• Debian fetchmail-ssl_5.9.11-6.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_ia64.deb


• Debian fetchmail-ssl_5.9.11-6.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_m68k.deb


• Debian fetchmail-ssl_5.9.11-6.1_mips.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_mips.deb


• Debian fetchmail-ssl_5.9.11-6.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_mipsel.deb


• Debian fetchmail-ssl_5.9.11-6.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_powerpc.deb


• Debian fetchmail-ssl_5.9.11-6.1_s390.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_s390.deb


• Debian fetchmail-ssl_5.9.11-6.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail -ssl_5.9.11-6.1_sparc.deb


• Debian fetchmail_5.9.11-6.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_alpha.deb


• Debian fetchmail_5.9.11-6.1_arm.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_arm.deb


• Debian fetchmail_5.9.11-6.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_hppa.deb


• Debian fetchmail_5.9.11-6.1_i386.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_i386.deb


• Debian fetchmail_5.9.11-6.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_ia64.deb


• Debian fetchmail_5.9.11-6.1_m68k.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_m68k.deb


• Debian fetchmail_5.9.11-6.1_mips.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_mips.deb


• Debian fetchmail_5.9.11-6.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_mipsel.deb


• Debian fetchmail_5.9.11-6.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_powerpc.deb


• Debian fetchmail_5.9.11-6.1_s390.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_s390.deb


• Debian fetchmail_5.9.11-6.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9 .11-6.1_sparc.deb


• Debian fetchmailconf_5.9.11-6.1_all.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf _5.9.11-6.1_all.deb


• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9.12

• Conectiva fetchmail-5.9.12-1U60_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-5.9.12-1U60_3cl .i386.rpm


• Conectiva fetchmail-5.9.12-1U60_3cl.src.rpm
  ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/fetchmail-5.9.12-1U60_3c l.src.rpm


• Conectiva fetchmail-5.9.12-1U70_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-5.9.12-1U70_3cl .i386.rpm


• Conectiva fetchmail-5.9.12-1U70_3cl.src.rpm
  ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fetchmail-5.9.12-1U70_3c l.src.rpm


• Conectiva fetchmail-5.9.12-1U80_2cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-5.9.12-1U80_2cl.i 386.rpm


• Conectiva fetchmail-5.9.12-1U80_2cl.src.rpm
  ftp://atualizacoes.conectiva.com.br/8/SRPMS/fetchmail-5.9.12-1U80_2cl. src.rpm


• Conectiva fetchmail-doc-5.9.12-1U60_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-doc-5.9.12-1U60 _3cl.i386.rpm


• Conectiva fetchmail-doc-5.9.12-1U70_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-doc-5.9.12-1U70 _3cl.i386.rpm


• Conectiva fetchmail-doc-5.9.12-1U80_2cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-doc-5.9.12-1U80_2 cl.i386.rpm


• Conectiva fetchmailconf-5.9.12-1U60_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmailconf-5.9.12-1U60 _3cl.i386.rpm


• Conectiva fetchmailconf-5.9.12-1U70_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmailconf-5.9.12-1U70 _3cl.i386.rpm


• Conectiva fetchmailconf-5.9.12-1U80_2cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmailconf-5.9.12-1U80_2 cl.i386.rpm

Eric Raymond Fetchmail 5.9.6

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9.7

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9.8

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 5.9.9

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz

Eric Raymond Fetchmail 6.0 .0

• Eric Raymond fetchmail-6.1.0.tar.gz
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz


• SCO fetchmail-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/R PMS/fetchmail-6.1.0-3.i386.rpm


• SCO fetchmail-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-05 1.0/RPMS/fetchmail-6.1.0-3.i386.rpm


• SCO fetchmail-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/RPM S/fetchmail-6.1.0-3.i386.rpm


• SCO fetchmail-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051. 0/RPMS/fetchmail-6.1.0-3.i386.rpm


• SCO fetchmailconf-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/R PMS/fetchmailconf-6.1.0-3.i386.rpm


• SCO fetchmailconf-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-05 1.0/RPMS/fetchmailconf-6.1.0-3.i386.rpm


• SCO fetchmailconf-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/RPM S/fetchmailconf-6.1.0-3.i386.rpm


• SCO fetchmailconf-6.1.0-3.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051. 0/RPMS/fetchmailconf-6.1.0-3.i386.rpm