what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 28, 2005
Authored by Matthias Andree | Site fetchmail.berlios.de

Fetchmail version 1.02 suffers from a remote code injection vulnerability.

tags | advisory, remote
advisories | CVE-2005-2335
SHA-256 | fc3f1ce80d30fc5169baa1476c5710f9cd636aec98c35ccdc729e1c419f34d2c


Change Mirror Download
Hash: SHA1

fetchmail-SA-2005-01: security announcement

Topic: remote code injection vulnerability in fetchmail

Author: Matthias Andree
Version: 1.02
Announced: 2005-07-21
Type: buffer overrun/stack corruption/code injection
Impact: account or system compromise possible through malicious
or compromised POP3 servers
Danger: high: in sensitive configurations, a full system
compromise is possible
(for denial of service for the whole fetchmail
system is possible)
CVE Name: CAN-2005-2335
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
Thanks: Edward J. Shornock (located the bug in UIDL code)
Miloslav Trmac (pointed out was faulty)
Ludwig Nussel (provided minimal correct fix)

Affects: fetchmail version (denial of service)
fetchmail version 6.2.5 (code injection)
fetchmail version 6.2.0 (code injection)
(other versions have not been checked)

Not affected: fetchmail
fetchmail 6.2.6-pre7
fetchmail 6.3.0 (not released yet)

Older versions may not have THIS bug, but had been found
to contain other security-relevant bugs.

Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
2005-07-22 fetchmail-patch- released
2005-07-23 fetchmail- tarball released

0. Release history

2005-07-20 1.00 - Initial announcement
2005-07-22 1.01 - Withdrew and 6.2.6-pre5, the fix was buggy
and susceptible to denial of service through
single-byte read from 0 when either a Message-ID:
header was empty (in violation of RFC-822/2822)
or the UIDL response did not contain an UID (in
violation of RFC-1939).
- Add Credits.
- Add failure details to sections 2 and 3
- Revise section 5 and B.
2005-07-26 1.02 - Revise section 0.
- Add FreeBSD VuXML URL for
- Add heise security URL.
- Mention release of tarball.

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

2. Problem description

The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack. This affects POP3 and all of its
variants, for instance but not limited to APOP.

In fetchmail-, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.

3. Impact

In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
multiple accounts.

In fetchmail-, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash

4. Workaround

No reasonable workaround can be offered at this time.

5. Solution

Upgrade your fetchmail package to version

You can either download a complete tarball of fetchmail-,
or you can download a patch against fetchmail-6.2.5 if you already have
the 6.2.5 tarball. Either is available from:


To use the patch:

1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
had downloaded) and fetchmail-patch-
2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
3. unpack the patch: gunzip fetchmail-patch-
4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-
5. now configure and build as usual - detailed instructions in the file
named "INSTALL".

A. References

fetchmail home page: <http://fetchmail.berlios.de/>

B. Copyright, License and Warranty

(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

Use the information herein at your own risk.

END OF fetchmail-SA-2005-01.txt
Version: GnuPG v1.4.0 (GNU/Linux)

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By