Control: tags -1 + patch
On Tue, May 19, 2020 at 07:30:53PM +0200, Salvatore Bonaccorso wrote:
> Source: netqmail
> Version: 1.06-6.1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 1.06-6
> Control: found -1 1.06-5
>
> Hi
>
> See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the
> Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.
debdiff based on the above attached.
Salvatore
diff -u netqmail-1.06/debian/changelog netqmail-1.06/debian/changelog
--- netqmail-1.06/debian/changelog
+++ netqmail-1.06/debian/changelog
@@ -1,3 +1,10 @@
+netqmail (1.06-6.2) unstable; urgency=high
+
+ * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
+CVE-2020-3812 (Closes: #961060)
+
+ -- Salvatore Bonaccorso Wed, 20 May 2020 22:23:21 +0200
+
netqmail (1.06-6.1) unstable; urgency=medium
* Non-maintainer upload.
only in patch2:
unchanged:
--- netqmail-1.06.orig/debian/diff/0004-Remote-Code-Execution-in-qmail.diff
+++ netqmail-1.06/debian/diff/0004-Remote-Code-Execution-in-qmail.diff
@@ -0,0 +1,515 @@
+From e80dc4ad2b0ee51315e336253606c0effdd0f117 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory
+Date: Tue, 19 May 2020 10:05:06 -0700
+Subject: [PATCH] Remote Code Execution in qmail (CVE-2005-1513)
+
+Qualys Security Advisory
+
+15 years later: Remote Code Execution in qmail (CVE-2005-1513)
+
+
+Contents
+
+
+Summary
+Analysis
+Exploitation
+qmail-verify
+- CVE-2020-3811
+- CVE-2020-3812
+Mitigations
+Acknowledgments
+Patches
+
+
+Summary
+
+
+TLDR: In 2005, three vulnerabilities were discovered in qmail but were
+never fixed because they were believed to be unexploitable in a default
+installation. We recently re-discovered these vulnerabilities and were
+able to exploit one of them remotely in a default installation.
+
+
+
+In May 2005, Georgi Guninski published "64 bit qmail fun", three
+vulnerabilities in qmail (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515):
+
+http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
+
+Surprisingly, we re-discovered these vulnerabilities during a recent
+qmail audit; they have never been fixed because, as stated by qmail's
+author Daniel J. Bernstein (in https://cr.yp.to/qmail/guarantee.html):
+
+"This claim is denied. Nobody gives gigabytes of memory to each
+qmail-smtpd process, so there is no problem with qmail's assumption
+that allocated array lengths fit comfortably into 32 bits."
+
+Indeed, the memory consumption of each qmail-smtpd process is severely
+limited by default (by qmail-smtpd's startup script); for example, on
+Debian 10 (the latest stable release), it is limited to roughly 7MB.
+
+Unfortunately, we discovered that these vulnerabilities also affect
+qmail-local, which is reachable remotely and is not memory-limited by
+default (we investigated many qmail packages, and *all* of them limit
+qmail-smtpd's memory, but *none* of them limits qmail-local's memory).
+
+As a proof of concept, we developed a reliable, local and remote exploit
+against Debian's qmail package in its default configuration. This proof
+of concept requires 4GB of disk space and 8GB of memory, and allows an
+attacker to execute arbitrary shell commands as any user, except root
+(and a few system users who do not own their home directory). We will
+publish our proof-of-concept exploit in the near future.
+
+About our new discovery, Daniel J. Bernstein issues the following
+statement:
+
+"https://cr.yp.to/qmail/guarantee.html has for many years mentioned
+qmail's assumption that allocated array lengths fit comfortably into
+32 bits. I run each qmail service under softlimit -m12345678, and I
+recommend the same for other installations."
+
+Finally, we also discovered two minor vulnerabilities in qmail-verify (a
+third-party qmail patch that is included in, for example, Debian's qmail
+package): CVE-2020-3811 (a mail-address verification bypass), and
+CVE-2020-3812 (a local information disclosure).
+
+
+Analysis
+
+
+We decided to exploit Georgi Guninski's vulnerability "1. integer
+overflow in stralloc_readyplus" (CVE-2005-1513). There are, in fact,
+four potential integer overflows in stralloc_readyplus; three in the
+GEN_ALLOC_readyplus() macro (which generates the stralloc_readyplus()
+function), at line 21 (n += x->len), line 23 (x->a = base + n + ...),
+and line 24 (x->a * sizeof(type)):
+
