Your message dated Sun, 27 Mar 2005 17:32:07 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#301428: fixed in smail 3.2.0.115-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Mar 2005 20:54:35 +0000
>From [EMAIL PROTECTED] Fri Mar 25 12:54:35 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DEvpC-0005F9-00; Fri, 25 Mar 2005 12:54:35 -0800
Received: from p54896647.dip.t-dialin.net ([84.137.102.71]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.44)
id 1DEvpA-0001Mj-Kt
for [EMAIL PROTECTED]; Fri, 25 Mar 2005 21:54:33 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DEvp6-0001mN-AP; Fri, 25 Mar 2005 21:54:28 +0100
Content-Type: multipart/mixed; boundary="===============1077034144=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: smail: Remote and local vulnerabilities can be exploited to obtain root
access
X-Mailer: reportbug 3.9
Date: Fri, 25 Mar 2005 21:54:27 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.102.71
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1077034144==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: smail
Severity: grave
Tags: security patch
Justification: user security hole
[Dear security-team, this should affect Woody as well]
Sean <[EMAIL PROTECTED] has discovered two vulnerabilities in smail,
that can be exploited to obtain root privileges:
1. A heap overflow in RFC 821 header parsing permits remote attackers that
are able to connect to an SMTP server remote code execution with root
privileges.
2. Insecure signal handling may be exploitable to obtain extended privileges
for local users as well.
For full details see
http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0
It contains a fix for the heap overflow, which I attach to this report.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--===============1077034144==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="smail-heap-overflow.patch"
--- addr.c 2004-08-27 01:46:17.000000000 -0500
+++ _addr.c 2005-03-25 01:00:44.423372480 -0500
@@ -217,10 +217,12 @@
ap++;
if (*ap == '@') {
/* matched host!(host!)[EMAIL PROTECTED] -- build the !-route */
- register char *p = xmalloc((size_t) strlen(address));
+ size_t alen = strlen(address);
+ register char *p = xmalloc((size_t) alen + 1);
DEBUG(DBG_ADDR_MID, "found host!(host!)[EMAIL PROTECTED]
form--ugh!\n");
/* first part already !-route */
strncpy(p, address, (size_t) (ap - address));
+ p[(ap - address)] = '\0';
if (mark_end) {
*mark_end++ = '>'; /* widden the original address */
}
@@ -231,7 +233,8 @@
*error);
return NULL;
}
- strcat(p, ap); /* concatenate together */
+ strncat(p, ap, alen-strlen(p)); /* concatenate together
*/
+ p[alen] = '\0'; /* in case in wasn't NULL'd */
xfree(ap);
DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p);
*rest = mark_end;
--===============1077034144==--
---------------------------------------
Received: (at 301428-close) by bugs.debian.org; 27 Mar 2005 22:42:23 +0000
>From [EMAIL PROTECTED] Sun Mar 27 14:42:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DFgSc-0008LD-00; Sun, 27 Mar 2005 14:42:22 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DFgIh-0001Tf-00; Sun, 27 Mar 2005 17:32:07 -0500
From: Hector Garcia <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#301428: fixed in smail 3.2.0.115-7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 27 Mar 2005 17:32:07 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: smail
Source-Version: 3.2.0.115-7
We believe that the bug you reported is fixed in the latest version of
smail, which is due to be installed in the Debian FTP archive:
smail_3.2.0.115-7.diff.gz
to pool/main/s/smail/smail_3.2.0.115-7.diff.gz
smail_3.2.0.115-7.dsc
to pool/main/s/smail/smail_3.2.0.115-7.dsc
smail_3.2.0.115-7_i386.deb
to pool/main/s/smail/smail_3.2.0.115-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hector Garcia <[EMAIL PROTECTED]> (supplier of updated smail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 27 Mar 2005 23:21:43 +0100
Source: smail
Binary: smail
Architecture: source i386
Version: 3.2.0.115-7
Distribution: unstable
Urgency: high
Maintainer: Hector Garcia <[EMAIL PROTECTED]>
Changed-By: Hector Garcia <[EMAIL PROTECTED]>
Description:
smail - Electronic mail transport system
Closes: 301428
Changes:
smail (3.2.0.115-7) unstable; urgency=high
.
* Added patch to fix security vulnerability. (Closes: #301428)
Files:
ef7e0d76a273ef29d0f544f199b116b1 609 mail extra smail_3.2.0.115-7.dsc
42502d1ba80ecf365c0076302101b921 159694 mail extra smail_3.2.0.115-7.diff.gz
9a016678846d4a3611aafa2314ca2826 663896 mail extra smail_3.2.0.115-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCRy4JMwsDi2xjdG0RApxKAJ0XilwvsW1qLGISkBc0017IIxYlsACg4eUz
3RaYXvLoelgJU27rSs7u1wM=
=E42E
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
