GLSA-200511-06 : fetchmail: Password exposure in fetchmailconf

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200511-06
(fetchmail: Password exposure in fetchmailconf)

Thomas Wolff discovered that fetchmailconf opens the configuration
file with default permissions, writes the configuration to it, and only
then restricts read permissions to the owner.

Impact :

A local attacker could exploit the race condition to retrieve
sensitive information like IMAP/POP passwords.

Workaround :

Run 'umask 077' to temporarily strengthen default permissions,
then run 'fetchmailconf' from the same shell.

See also :

http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
http://www.gentoo.org/security/en/glsa/glsa-200511-06.xml

Solution :

All fetchmail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-mail/fetchmail-6.2.5.2-r1'

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 20156 (gentoo_GLSA-200511-06.nasl)

Bugtraq ID:

CVE ID: CVE-2005-3088