diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2008-06-13 16:20:49 +0000 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2008-06-13 16:20:49 +0000 |
| commit | 99113547e733f876cc2f8dfbe8412ed7e082d479 (patch) | |
| tree | ddf9fbff3262a8a25a8cbcea49fb605f64e1f4e9 /NEWS | |
| parent | 592f3edea03f19d8c682d9f3d9c4c05028c15a77 (diff) | |
| download | fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.tar.gz fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.tar.bz2 fetchmail-99113547e733f876cc2f8dfbe8412ed7e082d479.zip | |
Fix Novell Bug #354291, fetchmail crashes in -v -v mode when logging long To:
headers (in excess of 2048 bytes).
svn path=/branches/BRANCH_6-3/; revision=5193
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -54,6 +54,14 @@ fetchmail 6.3.9 (not yet released): This bug was apparently introduced on 1998-11-27 when the bouncemail facility was modularized. The bug then made its appearance in fetchmail release 4.6.8. See also fetchmail-SA-2007-02.txt. +* CVE-2008-XXXX: Denial of service: When fetchmail logs data blobs + (for instance, a To: header in -v -v verbose mode) in excess of 2048 + bytes, it will crash, because it hands an uninitialized argument + pointer (not the format string though) to vsnprintf and reads a + random memory location (it calls va_arg() too often without + resetting it with va_start()). Based on a patch by Petr Uzel, fixes + Novell Bug #354291. + See also fetchmail-SA-2008-01.txt. # CRITICAL BUG FIX: * When expunging, mark the right messages as seen to avoid message loss in "keep |