COMMAND

	Fetchmail remote heap overflow

SYSTEMS AFFECTED

	Fetchmail <= 6.1.3

PROBLEM

	Stefan Esser [s.esser@e-matters.de] says :
	
	 http://security.e-matters.de/advisories/052002.html
	
	
	--snip--
	
	When Fetchmail retrieves a mail it performs the  so  called  reply-hack.
	This basicly means that all headers that contain addresses are  searched
	for local addresses (without @domain part).  When  such  an  address  is
	found, Fetchmail appends an @ and the hostname of the mailserver to  it.
	To avoid unnecessary reallocating  of  the  output  buffer  during  this
	process Fetchmail counts the number of addresses within  the  headerline
	first. Then it reserves enough space for the  case  that  all  addresses
	are locals. Unfourtunately this calculation is wrong because  it  counts
	a) to many addresses and b) only takes the hostname  in  count  and  not
	the extra @ which is also appended. This means at the moment  where  you
	have enough (due to a)  local  addresses  within  the  headerline  every
	additional address will overflow the buffer by one  byte.  This  results
	in an arbitrary size heap overflow, which was proved to  be  exploitable
	on our Linux boxes. Due to the fact that  this  heapoverflow  occurs  in
	malloc()ed areas we believe that BSD systems can only  be  crashed  with
	this bug.
	    
	Finally it is important to mention that an attacker  does  not  need  to
	spoof dns records, or control the mailserver to exploit this bug. It  is
	usually enough to send a mail to  the  victim  that  contains  specially
	crafted header lines.
	
	--snap--

SOLUTION

	Get release version 6.2.0