Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2711 to the following vulnerability: fetchmail 6.3.8 and earlier, when running in -v -v mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which is not properly handled when using vsnprintf to format log messages. References: http://www.openwall.com/lists/oss-security/2008/06/13/1 http://www.fetchmail.info/fetchmail-SA-2008-01.txt https://bugzilla.novell.com/show_bug.cgi?id=354291
Fetchmail SA-2008-01 was updated on 2008-06-24 to address the same issue in report_complete(), besides originally reported report_build().
This issue can result in fetchmail crash. Such crash can only be considered a security issue when fetchmail is run in daemon mode. However, it's unlikely to use double verbose mode (-v -v) when running fetchmail in a daemon mode. Problem can easily be worked-around by lowering logging verbosity. With respect to that, this issue was rated as having low security impact, a future fetchmail update in Red Hat Enterprise Linux may address this flaw. Note: This issue may not affect all architectures and glibc versions. Crash was only confirmed on x86_64 and PPC architectures.
fetchmail-6.3.8-7.fc9 has been submitted as an update for Fedora 9
fetchmail-6.3.8-4.fc8 has been submitted as an update for Fedora 8
fetchmail-6.3.8-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
fetchmail-6.3.8-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1427 https://rhn.redhat.com/errata/RHSA-2009-1427.html