CVE-2005-4348 - Resource Management Errors vulnerability in Fetchmail

Publication

2005-12-21

Last modification

2018-10-19

Summary

fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.

Description

Fetchmail is affected by a remote denial-of-service vulnerability. This issue is due to the application's failure to handle unexpected input. This issue occurs only when Fetchmail is configured in 'multidrop' mode.

Solution

The vendor has released an advisory to address this issue. Please see the advisory for details on obtaining and applying fixes. Turbolinux Turbolinux 10 F... Turbolinux fetchmail-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmail-6.2.5-6.i586.rpm Turbolinux fetchmailconf-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmailconf-6.2.5-6.i586.rpm Turbolinux Turbolinux FUJI Turbolinux fetchmail-6.2.5-6.i686.rpm Turbolinux FUJI ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ Turbolinux fetchmailconf-6.2.5-6.i686.rpm Turbolinux FUJI ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ TurboLinux Multimedia Turbolinux fetchmail-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmail-6.2.5-6.i586.rpm Turbolinux fetchmailconf-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmailconf-6.2.5-6.i586.rpm Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux fetchmail-6.2.5-6.i586.rpm Turbolinux Appliance Server 1.0 Workgroup Edition ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ Turbolinux Turbolinux Server 10.0 Turbolinux fetchmail-6.2.5-6.i586.rpm Turbolinux 10 Server ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ Turbolinux Turbolinux Desktop 10.0 Turbolinux fetchmail-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmail-6.2.5-6.i586.rpm Turbolinux fetchmailconf-6.2.5-6.i586.rpm Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmailconf-6.2.5-6.i586.rpm Apple Mac OS X Server 10.3.9 Apple SecUpdSrvr2006-004Pan.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat= 1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg Apple Mac OS X 10.3.9 Apple SecUpd2006-004Pan.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&cat= 1&platform=osx&method=sa/SecUpd2006-004Pan.dmg Apple Mac OS X 10.4.7 Apple SecUpd2006-004Intel.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&cat= 1&platform=osx&method=sa/SecUpd2006-004Intel.dmg Eric Raymond Fetchmail 6.2.5 .4 Eric Raymond fetchmail-6.2.5.5.tar.bz2 http://download.berlios.de/fetchmail/fetchmail-6.2.5.5.tar.bz2 Eric Raymond Fetchmail 6.2.5 .1 Eric Raymond fetchmail-patch-6.2.5.2.gz http://download.berlios.de/fetchmail/fetchmail-patch-6.2.5.2.gz Eric Raymond Fetchmail 6.3 .0 Eric Raymond fetchmail-6.3.1.tar.bz2 http://download.berlios.de/fetchmail/fetchmail-6.3.1.tar.bz2

Exploit

An exploit is not required.

Classification

CWE-399 - Resource Management Errors

Risk level (CVSS AV:N/AC:L/Au:N/C:N/I:N/A:C)

High

7.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Vendor comments

  • Mark J Cox - Red Hat (2007-01-31)
    The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0018.html This issue did not affect Red Hat Enterprise Linux 2.1 and 3.

OVAL definition

{
    "accepted": "2013-04-29T04:21:07.736-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 3",
            "oval": "oval:org.mitre.oval:def:11782"
        },
        {
            "comment": "CentOS Linux 3.x",
            "oval": "oval:org.mitre.oval:def:16651"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 4",
            "oval": "oval:org.mitre.oval:def:11831"
        },
        {
            "comment": "CentOS Linux 4.x",
            "oval": "oval:org.mitre.oval:def:16636"
        },
        {
            "comment": "Oracle Linux 4.x",
            "oval": "oval:org.mitre.oval:def:15990"
        }
    ],
    "description": "fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:9659",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.",
    "version": "23"
}

Affected Products

Vendor Product Versions
Fetchmail Fetchmail  6.2.5.1 , 6.2.4 , 6.2.2 , 6.2.5.4 , 6.2.0 , 6.2.3 , 6.2.5 , 6.2.1 , 6.2.5.2 , 6.3.0

External references