[pkg-fetchmail-maint] Bug#338007: fetchmail: certain messages cause
"client/server synchronization error while fetching ..."
Nathaniel W. Turner
nate at houseofnate.net
Mon Nov 7 19:23:53 UTC 2005
Package: fetchmail
Version: 6.2.5-18
Severity: important
I have done some debugging, and determined that with my setup, fetchmail
always fails if two conditions are met.
My setup:
- messages arrive on box-A via qmail
- fetchmail on box-B fetches messages via courier-imap on box-A
Conditions required for failure (both must be met):
1. the message being fetched must have DOS-style line endings (at least
for the blank line between the headers and the message body).
2. the message body must contain (anywhere in it) the two character
string "OK".
If these conditions are met, fetchmail will choke while fetching this
message, and quit, leaving it and any other message on the server.
I have minimal test messages and the output of running fetchmail -vv for
each of them, which I will attach to this report.
(I don't think this bug has security implications other than a basic
DoS, but that might be worth investigating, as it seems fetchmail is
interpreting data from an untrusted user as though it were data from a
(potentially trusted) mail server.)
I don't think my particular /etc/fetchmailrc is relevant here, but I can
provide a sanitized copy if needed.
Cheers,
nate
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages fetchmail depends on:
ii adduser 3.77 Add and remove users and groups
ii base-files 3.1.9 Debian base system miscellaneous f
ii debianutils 2.15.1 Miscellaneous utilities specific t
ii libc6 2.3.5-7 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
Versions of packages fetchmail recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tests.tar.gz
Type: application/octet-stream
Size: 2385 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20051107/e528202b/tests.tar.obj
More information about the pkg-fetchmail-maint
mailing list