Bug#295411: sympa: CERTA-2005-AVI-078 : bouncequeue and queue can execute arbitrary code because of a buffer overflow

Tue, 15 Feb 2005 09:53:16 -0800 

Package: sympa
Version: 4.1.2-2.1
Severity: grave
Justification: user security hole

----- Forwarded message from Aumont - Comite Reseaux des Universites <[EMAIL 
PROTECTED]> -----

Return-Path: [EMAIL PROTECTED]
Date: Tue, 15 Feb 2005 18:09:54 +0100
From: Aumont - Comite Reseaux des Universites <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922
To: [EMAIL PROTECTED]
Subject: [sympa-announce] Security advisory
Reply-To: [EMAIL PROTECTED]

French CERT as published a security advisory (reference 
CERTA-2005-AVI-078) : bouncequeue and queue can execute arbitrary code 
because of a buffer overflow.

This concern all version of Sympa (including 5.0b)  except 4.1.3, 4.1.4 
and 4.1.5.

Please refer to http://www.sympa.org for solutions.

Serge Aumont

----------

The patches are :

http://sourcesup.cru.fr/cgi/viewcvs.cgi/sympa/src/queue.c.diff?r2=1.4.2.1&cvsroot=sympa&r1=1.4&diff_format=u

http://sourcesup.cru.fr/cgi/viewcvs.cgi/sympa/src/bouncequeue.c.diff?r2=1.4.2.1&cvsroot=sympa&r1=1.4&diff_format=u



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (900, 'testing'), (10, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages sympa depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf                     1.4.30.8     Debian configuration management sy
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  libcgi-fast-perl            5.8.4-3      CGI::Fast Perl module
ii  libcrypt-ciphersaber-perl   0.61-4       Perl module implementing CipherSab
ii  libdbd-mysql-perl           2.9003-3     A Perl5 database interface to the 
ii  libdbi-perl                 1.45-1       The Perl5 Database Interface by Ti
ii  libfcgi-perl                0.67-1       FastCGI Perl module
ii  libio-stringy-perl          2.109-2      Perl5 modules for IO from scalars 
ii  libmailtools-perl           1.62-1       Manipulate email in perl programs
ii  libmd5-perl                 2.03-1       backwards-compatible wrapper for D
ii  libmime-perl                5.415-1      Perl5 modules for MIME-compliant m
ii  libmsgcat-perl              1.03-3       Locale::Msgcat perl module
ii  libnet-ldap-perl            0.3202-2     A Client interface to LDAP servers
ii  mhonarc                     2.6.10-1     Mail to HTML converter
ii  perl [libmime-base64-perl]  5.8.4-6      Larry Wall's Practical Extraction 
ii  perl-suid                   5.8.4-6      Runs setuid Perl scripts
ii  postfix [mail-transport-age 2.1.4-5      A high-performance mail transport 
ii  sysklogd [system-log-daemon 1.4.1-15     System Logging Daemon

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to