blob: 67ff8f87bb8b42c00a94effd9233d5e6fc311565 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200511-06">
<title>fetchmail: Password exposure in fetchmailconf</title>
fetchmailconf fails to properly handle file permissions, temporarily
exposing sensitive information to other local users.
<product type="ebuild">fetchmail</product>
<announced>November 06, 2005</announced>
<revised>November 06, 2005: 01</revised>
<package name="net-mail/fetchmail" auto="yes" arch="*">
<unaffected range="ge"></unaffected>
<vulnerable range="lt"></vulnerable>
fetchmail is a utility that retrieves and forwards mail from
remote systems using IMAP, POP, and other protocols. It ships with
fetchmailconf, a graphical utility used to create configuration files.
Thomas Wolff discovered that fetchmailconf opens the configuration
file with default permissions, writes the configuration to it, and only
then restricts read permissions to the owner.
<impact type="normal">
A local attacker could exploit the race condition to retrieve
sensitive information like IMAP/POP passwords.
Run "umask 077" to temporarily strengthen default permissions,
then run "fetchmailconf" from the same shell.
All fetchmail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-mail/fetchmail-;</code>
<uri link="">Fetchmail Security Advisory</uri>
<uri link="">CVE-2005-3088</uri>
<metadata tag="submitter" timestamp="Fri, 04 Nov 2005 12:31:43 +0000">
<metadata tag="bugReady" timestamp="Fri, 04 Nov 2005 12:31:54 +0000">