[pkg-fetchmail-maint] Bug#338007: fetchmail: certain messages cause "client/server synchronization error while fetching ..."

Nathaniel W. Turner nate at houseofnate.net
Mon Nov 7 19:23:53 UTC 2005 

Package: fetchmail
Version: 6.2.5-18
Severity: important

I have done some debugging, and determined that with my setup, fetchmail
always fails if two conditions are met.

My setup:

- messages arrive on box-A via qmail
- fetchmail on box-B fetches messages via courier-imap on box-A

Conditions required for failure (both must be met):

1. the message being fetched must have DOS-style line endings (at least
   for the blank line between the headers and the message body).

2. the message body must contain (anywhere in it) the two character
   string "OK".

If these conditions are met, fetchmail will choke while fetching this
message, and quit, leaving it and any other message on the server.

I have minimal test messages and the output of running fetchmail -vv for
each of them, which I will attach to this report.

(I don't think this bug has security implications other than a basic
DoS, but that might be worth investigating, as it seems fetchmail is
interpreting data from an untrusted user as though it were data from a
(potentially trusted) mail server.)

I don't think my particular /etc/fetchmailrc is relevant here, but I can
provide a sanitized copy if needed.

Cheers,
nate

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages fetchmail depends on:
ii  adduser                       3.77       Add and remove users and groups
ii  base-files                    3.1.9      Debian base system miscellaneous f
ii  debianutils                   2.15.1     Miscellaneous utilities specific t
ii  libc6                         2.3.5-7    GNU C Library: Shared libraries an
ii  libssl0.9.7                   0.9.7g-5   SSL shared libraries

Versions of packages fetchmail recommends:
ii  ca-certificates               20050804   Common CA Certificates PEM files

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tests.tar.gz
Type: application/octet-stream
Size: 2385 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20051107/e528202b/tests.tar.obj

More information about the pkg-fetchmail-maint mailing list