Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 109381
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Ceesjan Luiten <quinox_san_@hotmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 109381 depends on: Show dependency tree
Bug 109381 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-10-15 10:06 0000 
After upgrading packages on my system the XMail server didn't download pop3link
mail any more - in debug mode it would print messages like this:

<<
ErrCode   = -40
ErrString = Invalid server address
ErrInfo   = ***.homelinux.net
[PSYNC/MASQ] MasqDomain = "qtea.nl,qtea.nl" - RmtDomain = "***.homelinux.net" -
RmtName = "quinox" Failed !
>>

After some testing I found out that wget had the same problem in the chrooted
directory, and after some googling I found
http://blog.gmane.org/gmane.comp.apache.mod-security.user/day=20040711 . Copying
those 3 files mentioned in that post:

libnss_dns.so.2
libnss_files.so.2
libresolv.so.2

to the /chroot/xmail/lib directory fixed my problem.

ATM the init script copies all libs mentioned in ldd XMail - The resolve libs
are not listed there. IMO these will have to be copied by the init.d script too
before starting XMail

PS: 

XMail 1.22 has been released a few days ago and isn't in portage yet - it has a
security update to fix a buffer overflow with the local sendmail prog
(CAN-2005-2943):

http://www.xmailserver.org/ChangeLog.html#oct_12__2005_v_1_22
http://www.idefense.com/application/poi/display?id=321&type=vulnerabilities


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Ceesjan Luiten 2005-12-10 03:36:30 0000 ------- 
Noone ? It is kind of bad if we leave an exploitable version of a mail server
in
portage for this long :/

------- Comment #2 From Andrea Barisani (RETIRED) 2005-12-10 04:00:43 0000 ------- 
1.22 is masked in the tree (wait a few minutes for mirrors to pick it up),
could
you please test it and see if it works for you so that I can remove the vuln
package and have the sec team issuing a GLSA?

(Moving to Security)

------- Comment #3 From Ceesjan Luiten 2005-12-10 05:10:39 0000 ------- 
It compiles without any problems and it runs fine :)

------- Comment #4 From Thierry Carrez (RETIRED) 2005-12-11 10:01:06 0000 ------- 
x86 or maintainer can go ahead and mark stable

------- Comment #5 From Thierry Carrez (RETIRED) 2005-12-12 07:23:57 0000 ------- 
CVE-2005-2943
Local exploitation of a buffer overflow vulnerability in XMail, as
distributed with multiple vendors' operating systems, allows local
attackers to execute arbitrary code with elevated privileges.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-12-14 09:52:40 0000 ------- 
GLSA 200512-05
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug