Re: [RHSA-2002:047-10] Updated fetchmail packages available
From: Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE)Date: 05/31/02
- Previous message: Daniel Nyström: "[[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS"
- In reply to: bugzilla@redhat.com: "[RHSA-2002:047-10] Updated fetchmail packages available"
- Next in thread: Nate Eldredge: "Re: [RHSA-2002:047-10] Updated fetchmail packages available"
- Reply: Nate Eldredge: "Re: [RHSA-2002:047-10] Updated fetchmail packages available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Date: Fri, 31 May 2002 15:39:41 +0200
bugzilla@redhat.com writes:
> Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1,
> 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched
> versions of fetchmail prior to 5.9.10.
It appears that this vulnerability is caused by some alloca()
implementations which do not return zero if the caller requests more
memory than which is available.
Red Hat's patch does not address the root of the problem by fixing
alloca() (a problem which might be of more generic nature and could
well be present in other software as well), but it bounds the
requested memory by something which appears to be a rather arbitrary
constant.
-- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
- Previous message: Daniel Nyström: "[[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS"
- In reply to: bugzilla@redhat.com: "[RHSA-2002:047-10] Updated fetchmail packages available"
- Next in thread: Nate Eldredge: "Re: [RHSA-2002:047-10] Updated fetchmail packages available"
- Reply: Nate Eldredge: "Re: [RHSA-2002:047-10] Updated fetchmail packages available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
