"Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). "
fetchmail does not limit the settings file's readability, this allow any user on the machine obtain to sensitive information.
Vulnerable Systems:
* fetchmail version 6.2.5.2
* fetchmail version 6.2.5
* fetchmail version 6.2.0
* fetchmailconf version 1.43
* fetchmailconf version 1.43.1
Immune Systems:
* Fetchmail version 6.2.9-rc6
* fetchmailconf version 1.43.2
* fetchmailconf version 1.49
* fetchmail version 6.3.0
The fetchmailconf program opens the control file, writes the configuration to it, and only then changes the file's security settings to 0600 (rw-------). As the file, usually contains passwords, not making it unreadable to other users, can cause a situation where the file can be used to expose passwords.
Workaround:
Run "umask 077", then run "fetchmailconf" from the same shell. After fetchmailconf has finished, you can restore your old umask.
Vendor Status:
The vendor has fixed the issue:
For users of fetchmail-6.2.5.2: Download fetchmailconf-1.43.2.gz.
For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: update to the latest fetchmail-devel package 6.2.9-rc6.
