Vigil@nce: fetchmail, denial of service in verbose mode
June 2008 by Vigil@nce
SYNTHESIS
When fetchmail is used in verbose mode, an attacker can create a
long message in order to stop it.
Gravity: 1/4
Consequences: denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 18/06/2008
Identifier: VIGILANCE-VUL-7900
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The fetchmail program downloads emails from a POP or IMAP server
and delivers them depending on its configuration.
When fetchmail is used in verbose mode (-vv or -vvv), headers are
rewritten. However, if a header in longer than 2048 characters, an
error occurs and stops fetchmail.
An attacker can therefore create a malicious email in order to
create a denial of service when it is downloaded in verbose mode.
CHARACTERISTICS
Identifiers: 354291, CVE-2008-2711, fetchmail-SA-2007-02,
fetchmail-SA-2008-01, VIGILANCE-VUL-7900