[pkg-fetchmail-maint] Bug#338007: fetchmail: certain messages cause "client/server synchronization error while fetching ..."

Nico Golde nico at ngolde.de
Mon Nov 7 23:12:32 UTC 2005 

tags 338007 + upstream

* Nathaniel W. Turner <nate at houseofnate.net> [2005-11-07 20:37]:
> Package: fetchmail
> Version: 6.2.5-18
> Severity: important
> 
> I have done some debugging, and determined that with my setup, fetchmail
> always fails if two conditions are met.
> 
> My setup:
> 
> - messages arrive on box-A via qmail
> - fetchmail on box-B fetches messages via courier-imap on box-A
> 
> Conditions required for failure (both must be met):
> 
> 1. the message being fetched must have DOS-style line endings (at least
>    for the blank line between the headers and the message body).
> 
> 2. the message body must contain (anywhere in it) the two character
>    string "OK".
> 
> If these conditions are met, fetchmail will choke while fetching this
> message, and quit, leaving it and any other message on the server.
> 
> I have minimal test messages and the output of running fetchmail -vv for
> each of them, which I will attach to this report.
> 
> (I don't think this bug has security implications other than a basic
> DoS, but that might be worth investigating, as it seems fetchmail is
> interpreting data from an untrusted user as though it were data from a
> (potentially trusted) mail server.)
> 
> I don't think my particular /etc/fetchmailrc is relevant here, but I can
> provide a sanitized copy if needed.
> 
> Cheers,
> nate
> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.14-1-k7
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> 
> Versions of packages fetchmail depends on:
> ii  adduser                       3.77       Add and remove users and groups
> ii  base-files                    3.1.9      Debian base system miscellaneous f
> ii  debianutils                   2.15.1     Miscellaneous utilities specific t
> ii  libc6                         2.3.5-7    GNU C Library: Shared libraries an
> ii  libssl0.9.7                   0.9.7g-5   SSL shared libraries
> 
> Versions of packages fetchmail recommends:
> ii  ca-certificates               20050804   Common CA Certificates PEM files
> 
> -- no debconf information



-- 
Nico Golde - JAB: nion at jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20051108/25be2343/attachment.pgp

More information about the pkg-fetchmail-maint mailing list