Bugtraq mailing list archives
Re: [RHSA-2002:047-10] Updated fetchmail packages available
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Fri, 31 May 2002 15:39:41 +0200
bugzilla () redhat com writes:
Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched versions of fetchmail prior to 5.9.10.
It appears that this vulnerability is caused by some alloca() implementations which do not return zero if the caller requests more memory than which is available. Red Hat's patch does not address the root of the problem by fixing alloca() (a problem which might be of more generic nature and could well be present in other software as well), but it bounds the requested memory by something which appears to be a rather arbitrary constant. -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- [RHSA-2002:047-10] Updated fetchmail packages available bugzilla (May 21)
- Re: [RHSA-2002:047-10] Updated fetchmail packages available Florian Weimer (May 31)
- Re: [RHSA-2002:047-10] Updated fetchmail packages available Nate Eldredge (May 31)
- Re: [RHSA-2002:047-10] Updated fetchmail packages available Olaf Kirch (May 31)
- Re: [RHSA-2002:047-10] Updated fetchmail packages available Nate Eldredge (May 31)
- Re: [RHSA-2002:047-10] Updated fetchmail packages available Florian Weimer (May 31)