FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fetchmail -- fetchmailconf local password exposure

Affected packages
fetchmail < 6.2.5.2_1

Details

VuXML ID baf74e0b-497a-11da-a4f4-0060084a00e5
Discovery 2005-10-21
Entry 2005-10-30

The fetchmail team reports:

The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed the mode to 0600 (rw-------). Writing the file, which usually contains passwords, before making it unreadable to other users, can expose sensitive password information.

[source]

References

CVE Name CVE-2005-3088
URL http://www.fetchmail.info/fetchmail-SA-2005-02.txt

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.