First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 135746
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Raphael Marichez <falco@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 135746 depends on: Show dependency tree
Show dependency graph
Bug 135746 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-06-06 03:31 0000 
I assign the severity to major (C1) since the user usually can't check the
emails received before they are filtered by spamassassin, so it behaves like a
vulnerability against a server : the attacker only has to wait a few minutes or
hour before the malicious email. So *1. And C because this vuln only occurs if
the user modifies the init script or lauches spamd with particular options.

'3.1.3 fixes a remote code execution vulnerability if spamd is run with the
"--vpopmail" and "-P" options.  If either/both of those options are not
used, there is no vulnerability.  There was also a fix for the userstate
directory and prefs file not being created.'

------- Comment #1 From Raphael Marichez 2006-06-06 03:35:41 0000 ------- 
Please bump 3.1.3 which was released yesterday

------- Comment #2 From Christian Hartmann 2006-06-06 10:43:02 0000 ------- 
perl-herd done

------- Comment #3 From Tobias Scherbaum 2006-06-06 10:51:26 0000 ------- 
ppc stable

------- Comment #4 From René Nussbaumer 2006-06-06 11:45:16 0000 ------- 
Stable on hppa

------- Comment #5 From Markus Rothe 2006-06-06 11:47:52 0000 ------- 
stable on ppc64

------- Comment #6 From Chris Gianelloni (RETIRED) 2006-06-06 13:36:16 0000 ------- 
No mo' spam fo' amd64 and x86...

(I swear, I'm about to strangle bugzilla today)

------- Comment #7 From Gustavo Zacarias (RETIRED) 2006-06-06 14:58:11 0000 ------- 
sparc stable.

------- Comment #8 From Thomas Cort (RETIRED) 2006-06-07 16:43:09 0000 ------- 
alpha stable.

------- Comment #9 From Raphael Marichez 2006-06-07 22:46:05 0000 ------- 
Thanks arches, this one is ready for GLSA

------- Comment #10 From Raphael Marichez 2006-06-08 04:40:59 0000 ------- 
Since spamd is run as root, is there a hazard that the code would be executed
as root ??

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-06-10 06:06:07 0000 ------- 
*** Bug 135236 has been marked as a duplicate of this bug. ***

------- Comment #12 From Sune Kloppenborg Jeppesen 2006-06-10 06:11:10 0000 ------- 
Unless you specify the -u option in /etc/conf.d/spamd it will run as root.

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-06-11 13:06:24 0000 ------- 
GLSA 200606-09.

ia64 please don't forget to mark stable to benifit from the GLSA.

------- Comment #14 From Christian Hartmann 2006-06-19 22:49:07 0000 ------- 
Don't forget about mips.
First Last Prev Next    No search results available      Search page      Enter new bug