-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, October 7, 2005 6:17, Martin Schulze said: > Sven Mueller wrote: >> I created a fixed package (actually two: one for sid/etch and one for >> sarge), available at https://mail.incase.de/spampd/sarge-security/ >> respectively at https://mail.incase.de/spampd/sid/ (until my sponsor >> finds the time to upload the latter to sid). Personally, I'm indifferent >> wether this fix should be uploaded to the testing-security archive, >> since the fixed version should propagate quickly from sid. >> >> Security-Team: What else do I need to do to get the fixed version into >> sarge/security? > > How does this represent a security bug? > > It's not a denial of service unless spampd crashes and is unavailable > after misprocessing this mail. According to the bug report, the daemon > is reporting an error but continuing to work. > > Hence, it's rather "one mail falls through" or something. Doesn't sound > security-relevant to me. Well, it's more of an indirect DoS. The mails are rejected with an SMTP temporary failure code according to my quick test. This means that those mails fill up the sending SMTP daemons queue (which is usually the same host or a closely related host to the host spampd runs on). In my opinion, this is a possible DoS attack. And since the fix (one might call it workaround) is really minimal, I would really recommend updating it in sarge. Apart from that, this is bug is at least a serious problem, since it might deny perfectly legal mails from reaching the envelope recipient. Regarding the comment from Florian Weimer, wether this is really a spampd bug or more a Net::Server bug, I must say that I didn't (and don't) have time to analyze it. But I think it would be more a Sys::Syslog bug. However, I don't know wether using a "%s" as first argument would work as expected (I would have to test it more intensively, and it certainly isn't the minimal fix for the problem, just the right one in the long run). However, even if it would be a Sys:Syslog or Net::Server bug, I would still think it is right for spampd to work aroung that bug now (since the Sys::Syslog/Net::Server fix would be more complex). regards, Sven PS: It is really unlikely for me to be online much this week, so please don't expect timely answers before Tuesday 18th. - -- Still in NM process -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDSVNvg3izVowCbSERAvrDAKD9FY3nSs31e5HQE/VLXJhELjg9AgCfeSd1 mctgw1PqDHJXi/Q0zpRyf/Y= =a9ZH -----END PGP SIGNATURE-----