[pkg-fetchmail-maint] Bug#343836: Security: DoS attack possible -
crashes on empty message
Steve Fosdick
dbugs at pelvoux.nildram.co.uk
Sun Dec 18 03:44:41 UTC 2005
Package: fetchmail
Version: 6.2.5.4-1
Severity: important
Wondering why only local mail had arrived in my mailbox for several
days I found from the syslog that whenever fetchmail was started it
got as far as message 46 from my ISPs POP3 server then crashed.
I used telnet to log in to the POP3 server directly and fetched message
46 which seemed to consist only of a single blank line:
RETR 46
+OK
.
DELE 46
+OK
I have been able to work around this by deleting message 46 and it is
now fetching the other messages OK, but clearly someone could plant
such a message in someone's mailbox to disrupt their mail service - a
kind of DoS attack.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.4
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-15)
Versions of packages fetchmail depends on:
ii adduser 3.80 Add and remove users and groups
ii base-files 3.1.9 Debian base system miscellaneous f
ii debianutils 2.15.1 Miscellaneous utilities specific t
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libssl0.9.8 0.9.8a-3 SSL shared libraries
Versions of packages fetchmail recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- debconf information:
* fetchmail/confwarn:
* fetchmail/systemwide: true
* fetchmail/initdefaultswarn:
* fetchmail/runasroot: false
fetchmail/fetchidswarn:
More information about the pkg-fetchmail-maint
mailing list