FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fetchmail -- denial of service/crash from malicious POP3 server

Affected packages
fetchmail = 6.2.5.1

Details

VuXML ID 3f4ac724-fa8b-11d9-afcf-0060084a00e5
Discovery 2005-07-21
Entry 2005-07-22

In fetchmail 6.2.5.1, the remote code injection via POP3 UIDL was fixed, but a denial of service attack was introduced:

Two possible NULL-pointer dereferences allow a malicious POP3 server to crash fetchmail by respondig with UID lines containing only the article number but no UID (in violation of RFC-1939), or a message without Message-ID when no UIDL support is available.

References

Message 20050721172317.GB3071@amilo.ms.mff.cuni.cz
URL http://www.fetchmail.info/fetchmail-SA-2005-01.txt

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.