Your message dated Fri, 21 Oct 2005 18:10:56 +0200
with message-id <[EMAIL PROTECTED]>
and subject line
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Mar 2005 20:54:35 +0000
>From [EMAIL PROTECTED] Fri Mar 25 12:54:35 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DEvpC-0005F9-00; Fri, 25 Mar 2005 12:54:35 -0800
Received: from p54896647.dip.t-dialin.net ([84.137.102.71]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.44)
id 1DEvpA-0001Mj-Kt
for [EMAIL PROTECTED]; Fri, 25 Mar 2005 21:54:33 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DEvp6-0001mN-AP; Fri, 25 Mar 2005 21:54:28 +0100
Content-Type: multipart/mixed; boundary="===============1077034144=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: smail: Remote and local vulnerabilities can be exploited to obtain root
access
X-Mailer: reportbug 3.9
Date: Fri, 25 Mar 2005 21:54:27 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.102.71
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1077034144==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: smail
Severity: grave
Tags: security patch
Justification: user security hole
[Dear security-team, this should affect Woody as well]
Sean <[EMAIL PROTECTED] has discovered two vulnerabilities in smail,
that can be exploited to obtain root privileges:
1. A heap overflow in RFC 821 header parsing permits remote attackers that
are able to connect to an SMTP server remote code execution with root
privileges.
2. Insecure signal handling may be exploitable to obtain extended privileges
for local users as well.
For full details see
http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0
It contains a fix for the heap overflow, which I attach to this report.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--===============1077034144==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="smail-heap-overflow.patch"
--- addr.c 2004-08-27 01:46:17.000000000 -0500
+++ _addr.c 2005-03-25 01:00:44.423372480 -0500
@@ -217,10 +217,12 @@
ap++;
if (*ap == '@') {
/* matched host!(host!)[EMAIL PROTECTED] -- build the !-route */
- register char *p = xmalloc((size_t) strlen(address));
+ size_t alen = strlen(address);
+ register char *p = xmalloc((size_t) alen + 1);
DEBUG(DBG_ADDR_MID, "found host!(host!)[EMAIL PROTECTED]
form--ugh!\n");
/* first part already !-route */
strncpy(p, address, (size_t) (ap - address));
+ p[(ap - address)] = '\0';
if (mark_end) {
*mark_end++ = '>'; /* widden the original address */
}
@@ -231,7 +233,8 @@
*error);
return NULL;
}
- strcat(p, ap); /* concatenate together */
+ strncat(p, ap, alen-strlen(p)); /* concatenate together
*/
+ p[alen] = '\0'; /* in case in wasn't NULL'd */
xfree(ap);
DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p);
*rest = mark_end;
--===============1077034144==--
---------------------------------------
Received: (at 301428-done) by bugs.debian.org; 21 Oct 2005 16:10:54 +0000
>From [EMAIL PROTECTED] Fri Oct 21 09:10:54 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mol.es (orix.scouts-es.org) [195.219.121.190] (postfix)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ESzTq-0005eM-00; Fri, 21 Oct 2005 09:10:54 -0700
Received: from localhost (localhost [127.0.0.1])
by orix.scouts-es.org (Postfix) with ESMTP id C1BB3B77A1;
Fri, 21 Oct 2005 18:10:52 +0200 (CEST)
Received: from orix.scouts-es.org ([127.0.0.1])
by localhost (orix [127.0.0.1]) (amavisd-new, port 10024) with SMTP
id 21646-08; Fri, 21 Oct 2005 18:10:47 +0200 (CEST)
Received: from localhost.localdomain (localhost [127.0.0.1])
by orix.scouts-es.org (Postfix) with ESMTP id 16082B757E;
Fri, 21 Oct 2005 18:10:47 +0200 (CEST)
Subject:
From: =?ISO-8859-1?Q?H=E9ctor_Garc=EDa?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-YWXCq6Uv2Urdznd/l/aW"
Date: Fri, 21 Oct 2005 18:10:56 +0200
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.3
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at scouts-es.org
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.5 required=4.0 tests=BAYES_00,NOSUBJECT,
VALID_BTS_CONTROL autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
--=-YWXCq6Uv2Urdznd/l/aW
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
clone 301428 -1
retitle 301428 smail: security: heap overflow.
retitle -1 insecure signal handling
severity -1 important
tags -1 + help
thanks
Version: 3.2.0.115-7
The first part is been closed for a long time.
The second part, hence the clone, is reported to be a security bug, but
upstream says it is not.
There is no exploit to the second bug and I'm not really capable of
deciding who is rigth (is a security bug?), so I'm trusting upstream on
this but.
Anyway I'm asking for help in case someone can give me a more cluefull
opinion on this 'security' bug.
Regards,
H=C3=A9ctor
--=-YWXCq6Uv2Urdznd/l/aW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBDWRMQMwsDi2xjdG0RAt7SAKD4miHuoneVeBHMSp+yeUywELfK0wCgze72
lOGlTqLdV1yxj5XIPhRqL8k=
=zbFt
-----END PGP SIGNATURE-----
--=-YWXCq6Uv2Urdznd/l/aW--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
