FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fetchmail -- potential crash when authenticating to SMTP server

Affected packages
5.9.9 <= fetchmail < 6.5.6

Details

VuXML ID 21fba35e-a05f-11f0-a8b8-a1ef31191bc1
Discovery 2025-10-02
Entry 2025-10-03
Modified 2025-10-04

Matthias Andree reports:

fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will attempt to start reading from memory address 0x1 to parse the server's SASL challenge. This address is constant and not under the attacker's control. This event will usually cause a crash of fetchmail.

[source]

References

CVE Name CVE-2025-61962
URL https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
URL https://gitlab.com/fetchmail/fetchmail/-/raw/legacy_6x/fetchmail-SA-2025-01.txt?ref_type=heads
URL https://www.fetchmail.info/fetchmail-SA-2025-01.txt

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.