PDA

Bekijk Volledige Versie : [OpenPKG-SA-2002.016] OpenPKG Security Advisory (fetchmail)



OpenPKG
17/12/02, 20:47
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________ ______________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.016 17-Dec-2002
__________________________________________________ ______________________

Package: fetchmail
Vulnerability: crashing or remote command execution
OpenPKG Specific: no

Dependent Packages: none

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= fetchmail-5.9.5-1.0.0 >= fetchmail-5.9.5-1.0.1
OpenPKG 1.1 <= fetchmail-5.9.13-1.1.0 >= fetchmail-5.9.13-1.1.1
OpenPKG CURRENT <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213

Description:
The e-matters security team has reaudited Fetchmail and discovered a
remote vulnerability [1] within the default install. Headers are
searched for local addresses to append a @ and the hostname of the
mailserver. The sizing of the buffer to store the modified addresses
is too short by one character per address. This vulnerability allows
crashing or remote code execution. Depending on the confiuration this
can lead to a remote root compromise.

Check whether you are affected by running "<prefix>/bin/rpm -q fetchmail".
If you have an affected version of the fetchmail package (see above),
please upgrade it according to the solution below.

Solution:
Update existing packages to newly patched versions of fetchmail. Select the
updated source RPM appropriate for your OpenPKG release [2][3][4], and
fetch it from the OpenPKG FTP service or a mirror location. Verify its
integrity [5], build a corresponding binary RPM from it and update your
OpenPKG installation by applying the binary RPM [6]. For the latest
OpenPKG 1.1 release, perform the following operations to permanently fix
the security problem (for other releases adjust accordingly).

$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get fetchmail-5.9.13-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm
__________________________________________________ ______________________

References:
[1] http://security.e-matters.de/advisories/052002.html
[2] ftp://ftp.openpkg.org/release/1.0/UPD/
[3] ftp://ftp.openpkg.org/release/1.1/UPD/
[4] ftp://ftp.openpkg.org/current/SRC/
[5] http://www.openpkg.org/security.html#signature
[6] http://www.openpkg.org/tutorial.html#regular-source
__________________________________________________ ______________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
__________________________________________________ ______________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa
dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S
=BD0i
-----END PGP SIGNATURE-----