Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement: heimdal (SuSE-SA:2002:034)
  • From: Olaf Kirch <okir@xxxxxxx>
  • Date: Tue, 1 Oct 2002 12:45:06 +0200
  • Message-id: <20021001124506.Q22251@xxxxxxx>
On Tue, Oct 01, 2002 at 12:11:24PM +0200, Martin K?hling wrote:
> > 2) Pending vulnerabilities in SuSE Distributions and Workarounds:
> >
> > - fetchmail
> > Fetchmail contains remotely exploitable overflows in the mail header
> > parsing functions. In depth discussion of these problems can be found at
> > http://security.e-matters.de/advisories/032002.html.
> > New packages will soon be available on our ftp servers.
>
> According to the web page mentioned, fetchmail is only vulnerable in
> "multidrop" mode, i.e. when multiple users share one POP3 mailbox and
> fetchmail is asked to parse the mail headers to deliver them to
> the final recipient...
>
> Since this is not recommended anyway (being rather brain-dead), *most*
> users should be safe by default, right?

Yes and no. According to the e-matters advisory there are also buffer
overflows when parsing email addresses. They think these are not
exploitable. But there's one lesson I've learned over the years which
is that if you say "can never be exploited" there's surely some creative
spirit out there who gives his best to come up with an exploit. And
quite often these folks do succeed...

Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann

< Previous Next >