For sites that store quarantined or forwarded files as BSMTP files _and_ choose to include a sender name in the file name (by including a %s in the template), there is a security vulnerability in versions of amavisd-new 2.3.1, 2.3.2 and 2.3.3, which could potentially allow sender to cause a file to be stored outside of intended location, or just cause mail quarantining to fail. A threat is limited to directories accessible by uid/gid under which the amavisd daemon is running, which could potentially affect other quarantined files or cause disruption in processing of other mail, but would not affect the security of a normally maintained operating system. The problem does not affect majority of sites, as most sites do not store files in BSMTP format, and even those that do seldom choose to include a %s in a file name template (I doubt there is more than one or two sites affected by this vulnerability). A telltale setting in amavisd.conf would be for example: $spam_quarantine_method = 'bsmtp:spam-%m-%s'; The patch below fixes the problem, and must be applied at affected sites. For other more common setups the patch is not needed (the code section is inactive, applying the patch won't hurt but is unnecessary). The fix will be included in the next release 2.4.0 (or in 2.3.4, although I do not expect there will be a 2.3.4 release). --- amavisd~ Thu Oct 20 20:10:04 2005 +++ amavisd Sun Oct 23 20:54:10 2005 @@ -4720,3 +4720,3 @@ my($s) = $msginfo->sender; # defanged sender name for use in filename - $s =~ tr/a-zA-Z0-9@._+-]/=/c; + $s =~ tr/a-zA-Z0-9@._+-/=/c; $s = substr($s,0,100)."..." if length($s) > 100+3; @@ -6283,3 +6283,3 @@ $s = substr($s,0,100)."..." if length($s) > 100+3; - $s =~ tr/a-zA-Z0-9@._+-]/=/c; $s =~ s/\@/_at_/g; + $s =~ tr/a-zA-Z0-9@._+-/=/c; $s =~ s/\@/_at_/g; $s = untaint($s) if $s =~ /^(?:[a-zA-Z0-9%=._+-]+)\z/; # untaint Thanks to Thomas Jarosch for discovering the problem. Mark
I'll revbump amavisd-new with this patch. Has upstream been notified about this yet?
The Mark in the mail is the amavisd-new maintainer Mark Martinec, so yes:-) Let me know when the fix is in.
amavisd-new-2.3.3-r2 (now in CVS) has the patch applied. x86 is already stable, as I've been able to test on this arch.
Archs please test and mark 2.3.3-r2 stable.
marked ppc64 stable. thanks
Stable on alpha Cheers, Ferdy
Still missing amd64 and ppc64.
Sorry marked the wrong ebuild earlier. amavisd-new-2.3.3-r2 now marked stable in cvs
removing ppc64
Stable on amd64.
ready for glsa vote, i tend to say no because of "[...] would not affect the security of a normally maintained operating system" and the need of a specific config to be vulnerable.
I vote NO.
Voting no too and closing.
