-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2002.016 17-Dec-2002 ________________________________________________________________________ Package: fetchmail Vulnerability: crashing or remote command execution OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= fetchmail-5.9.5-1.0.0 >= fetchmail-5.9.5-1.0.1 OpenPKG 1.1 <= fetchmail-5.9.13-1.1.0 >= fetchmail-5.9.13-1.1.1 OpenPKG CURRENT <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213 Description: The e-matters security team has reaudited Fetchmail and discovered a remote vulnerability [1] within the default install. Headers are searched for local addresses to append a @ and the hostname of the mailserver. The sizing of the buffer to store the modified addresses is too short by one character per address. This vulnerability allows crashing or remote code execution. Depending on the confiuration this can lead to a remote root compromise. Check whether you are affected by running "<prefix>/bin/rpm -q fetchmail". If you have an affected version of the fetchmail package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of fetchmail. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get fetchmail-5.9.13-1.1.1.src.rpm ftp> bye $ <prefix>/bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm $ <prefix>/bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm ________________________________________________________________________ References: [1] http://security.e-matters.de/advisories/052002.html [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <[EMAIL PROTECTED]> iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S =BD0i -----END PGP SIGNATURE-----
