[OpenPKG-SA-2002.016] OpenPKG Security Advisory (fetchmail)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2002.016                                          17-Dec-2002
________________________________________________________________________

Package:             fetchmail
Vulnerability:       crashing or remote command execution
OpenPKG Specific:    no

Dependent Packages:  none

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG 1.0          <= fetchmail-5.9.5-1.0.0    >= fetchmail-5.9.5-1.0.1
OpenPKG 1.1          <= fetchmail-5.9.13-1.1.0   >= fetchmail-5.9.13-1.1.1
OpenPKG CURRENT      <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213

Description:
  The e-matters security team has reaudited Fetchmail and discovered a
  remote vulnerability [1] within the default install. Headers are
  searched for local addresses to append a @ and the hostname of the
  mailserver. The sizing of the buffer to store the modified addresses
  is too short by one character per address.  This vulnerability allows
  crashing or remote code execution. Depending on the confiuration this
  can lead to a remote root compromise. 

  Check whether you are affected by running "<prefix>/bin/rpm -q fetchmail".
  If you have an affected version of the fetchmail package (see above),
  please upgrade it according to the solution below.

Solution:
  Update existing packages to newly patched versions of fetchmail. Select the
  updated source RPM appropriate for your OpenPKG release [2][3][4], and
  fetch it from the OpenPKG FTP service or a mirror location. Verify its
  integrity [5], build a corresponding binary RPM from it and update your
  OpenPKG installation by applying the binary RPM [6]. For the latest
  OpenPKG 1.1 release, perform the following operations to permanently fix
  the security problem (for other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.1/UPD
  ftp> get fetchmail-5.9.13-1.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm
  $ <prefix>/bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm
________________________________________________________________________

References:
  [1] http://security.e-matters.de/advisories/052002.html
  [2] ftp://ftp.openpkg.org/release/1.0/UPD/
  [3] ftp://ftp.openpkg.org/release/1.1/UPD/
  [4] ftp://ftp.openpkg.org/current/SRC/
  [5] http://www.openpkg.org/security.html#signature
  [6] http://www.openpkg.org/tutorial.html#regular-source
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa
dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S
=BD0i
-----END PGP SIGNATURE-----