Vigil@nce: fetchmail, denial of service in debug mode
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send an email containing multibyte characters, in
order to stop fetchmail in debug mode.
– Severity: 1/4
– Creation date: 19/04/2010
DESCRIPTION OF THE VULNERABILITY
The fetchmail program downloads emails from a POP or IMAP server.
When the -v option (verbose) is used twice, fetchmail enters in
debug mode and displays additional information.
However, in debug mode, if an email header contains a multibyte
character, an infinite loop occurs and fetchmail stops.
An attacker can therefore send an email containing multibyte
characters, in order to stop fetchmail in debug mode.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/fetchmail-denial-of-service-in-debug-mode-9596