Your message dated Sun, 27 Mar 2005 17:32:07 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#301428: fixed in smail 3.2.0.115-7 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 25 Mar 2005 20:54:35 +0000 >From [EMAIL PROTECTED] Fri Mar 25 12:54:35 2005 Return-path: <[EMAIL PROTECTED]> Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DEvpC-0005F9-00; Fri, 25 Mar 2005 12:54:35 -0800 Received: from p54896647.dip.t-dialin.net ([84.137.102.71] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.44) id 1DEvpA-0001Mj-Kt for [EMAIL PROTECTED]; Fri, 25 Mar 2005 21:54:33 +0100 Received: from jmm by localhost.localdomain with local (Exim 4.50) id 1DEvp6-0001mN-AP; Fri, 25 Mar 2005 21:54:28 +0100 Content-Type: multipart/mixed; boundary="===============1077034144==" MIME-Version: 1.0 From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: smail: Remote and local vulnerabilities can be exploited to obtain root access X-Mailer: reportbug 3.9 Date: Fri, 25 Mar 2005 21:54:27 +0100 X-Debbugs-Cc: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: 84.137.102.71 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: This is a multi-part MIME message sent by reportbug. --===============1077034144== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: smail Severity: grave Tags: security patch Justification: user security hole [Dear security-team, this should affect Woody as well] Sean <[EMAIL PROTECTED] has discovered two vulnerabilities in smail, that can be exploited to obtain root privileges: 1. A heap overflow in RFC 821 header parsing permits remote attackers that are able to connect to an SMTP server remote code execution with root privileges. 2. Insecure signal handling may be exploitable to obtain extended privileges for local users as well. For full details see http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0 It contains a fix for the heap overflow, which I attach to this report. Cheers, Moritz -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --===============1077034144== Content-Type: text/x-c; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="smail-heap-overflow.patch" --- addr.c 2004-08-27 01:46:17.000000000 -0500 +++ _addr.c 2005-03-25 01:00:44.423372480 -0500 @@ -217,10 +217,12 @@ ap++; if (*ap == '@') { /* matched host!(host!)[EMAIL PROTECTED] -- build the !-route */ - register char *p = xmalloc((size_t) strlen(address)); + size_t alen = strlen(address); + register char *p = xmalloc((size_t) alen + 1); DEBUG(DBG_ADDR_MID, "found host!(host!)[EMAIL PROTECTED] form--ugh!\n"); /* first part already !-route */ strncpy(p, address, (size_t) (ap - address)); + p[(ap - address)] = '\0'; if (mark_end) { *mark_end++ = '>'; /* widden the original address */ } @@ -231,7 +233,8 @@ *error); return NULL; } - strcat(p, ap); /* concatenate together */ + strncat(p, ap, alen-strlen(p)); /* concatenate together */ + p[alen] = '\0'; /* in case in wasn't NULL'd */ xfree(ap); DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p); *rest = mark_end; --===============1077034144==-- --------------------------------------- Received: (at 301428-close) by bugs.debian.org; 27 Mar 2005 22:42:23 +0000 >From [EMAIL PROTECTED] Sun Mar 27 14:42:22 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DFgSc-0008LD-00; Sun, 27 Mar 2005 14:42:22 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DFgIh-0001Tf-00; Sun, 27 Mar 2005 17:32:07 -0500 From: Hector Garcia <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#301428: fixed in smail 3.2.0.115-7 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sun, 27 Mar 2005 17:32:07 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: smail Source-Version: 3.2.0.115-7 We believe that the bug you reported is fixed in the latest version of smail, which is due to be installed in the Debian FTP archive: smail_3.2.0.115-7.diff.gz to pool/main/s/smail/smail_3.2.0.115-7.diff.gz smail_3.2.0.115-7.dsc to pool/main/s/smail/smail_3.2.0.115-7.dsc smail_3.2.0.115-7_i386.deb to pool/main/s/smail/smail_3.2.0.115-7_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hector Garcia <[EMAIL PROTECTED]> (supplier of updated smail package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 27 Mar 2005 23:21:43 +0100 Source: smail Binary: smail Architecture: source i386 Version: 3.2.0.115-7 Distribution: unstable Urgency: high Maintainer: Hector Garcia <[EMAIL PROTECTED]> Changed-By: Hector Garcia <[EMAIL PROTECTED]> Description: smail - Electronic mail transport system Closes: 301428 Changes: smail (3.2.0.115-7) unstable; urgency=high . * Added patch to fix security vulnerability. (Closes: #301428) Files: ef7e0d76a273ef29d0f544f199b116b1 609 mail extra smail_3.2.0.115-7.dsc 42502d1ba80ecf365c0076302101b921 159694 mail extra smail_3.2.0.115-7.diff.gz 9a016678846d4a3611aafa2314ca2826 663896 mail extra smail_3.2.0.115-7_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCRy4JMwsDi2xjdG0RApxKAJ0XilwvsW1qLGISkBc0017IIxYlsACg4eUz 3RaYXvLoelgJU27rSs7u1wM= =E42E -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]