Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 178986
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Lars Hartmann <lars@chaotika.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
zoo-2.10-CVE-2007-1673.patch Patchfile text/plain Icebird2000 2007-05-22 09:51 0000 2.32 KB Details
cve-2007-1669.patch modified patch patch Lars Hartmann 2007-05-23 21:51 0000 2.56 KB Details | Diff
zoo-2.10-r3.ebuild ebuild text/plain Lars Hartmann 2007-05-23 21:52 0000 921 bytes Details
zoo-2.10-CVE-2007-1669.patch fixed patch patch Lars Hartmann 2007-05-23 21:56 0000 2.45 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 178986 depends on: Show dependency tree
Bug 178986 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-05-18 11:20 0000 
A vulnerability has been reported in Amavis, which can potentially be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to Amavis potentially invoking an insecure
version of zoo or unzoo. This can be exploited to cause an infinite loop
resulting in high CPU utilisation.

Solution:
The vendor recommends disabling the use of zoo or unzoo, or using a patched
version of zoo.

Provided and/or discovered by:
The vendor credits Jean-Sebastien Guay-Leroux.

Original Advisory:
http://www.amavis.org/security/asa-2007-2.txt

Reproducible: Always

------- Comment #1 From Lars Hartmann 2007-05-18 11:36:51 0000 ------- 
maintainers - please advice

------- Comment #2 From Andrej Kacian (RETIRED) 2007-05-18 19:14:27 0000 ------- 
I suggest patching app-arch/zoo with patch found in section VII here:
<http://www.securityfocus.com/archive/1/archive/1/467646/100/0/threaded>. We
can then make amavisd-new depend on patched version of zoo, after stabilizing
it for arches.

This would be more bearable than to wait for amavisd-new-2.5.1 and then
stabilize it - 2.5.x brings some new stuff and config file changes which are
not yet so well tested as 2.4.x.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-05-19 06:52:43 0000 ------- 
Not an amavisd-new issue. Unfortunately zoo is without a maintainer. Ticho,
could you patch it?

------- Comment #4 From Icebird2000 2007-05-22 09:51:38 0000 ------- 
Created an attachment (id=119979) [details]
Patchfile

this is the patch as diff-file

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-05-22 15:06:32 0000 ------- 
Ticho ping.

------- Comment #6 From Lars Hartmann 2007-05-23 21:51:54 0000 ------- 
Created an attachment (id=120137) [details]
modified patch

i modified the patch to let it patch cleanly.

------- Comment #7 From Lars Hartmann 2007-05-23 21:52:49 0000 ------- 
Created an attachment (id=120138) [details]
ebuild

an ebuild which uses my modified patch

------- Comment #8 From Lars Hartmann 2007-05-23 21:56:57 0000 ------- 
Created an attachment (id=120139) [details]
fixed patch

now the finaly one (uploaded the wrong one first) - sorry for that

------- Comment #9 From Andrej Kacian (RETIRED) 2007-05-23 22:32:33 0000 ------- 
Sorry guys. I was, uhh... distracted, from all technology for past few days.

zoo-2.10-r3 is in the tree now.

------- Comment #10 From Stefan Cornelius (RETIRED) 2007-05-23 23:00:53 0000 ------- 
arches, please test and stable zoo-2.10-r3. thanks

------- Comment #11 From Christian Faulhammer 2007-05-24 06:37:19 0000 ------- 
x86/amd64 stable

------- Comment #12 From Gustavo Zacarias (RETIRED) 2007-05-24 12:57:35 0000 ------- 
sparc stable.

------- Comment #13 From Markus Rothe 2007-05-24 15:31:26 0000 ------- 
ppc64 stable

------- Comment #14 From Raúl Porcel 2007-05-25 11:06:03 0000 ------- 
alpha stable

------- Comment #15 From Tobias Scherbaum 2007-05-25 17:51:46 0000 ------- 
ppc stable

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-05-25 17:55:57 0000 ------- 
This one is ready for GLSA decision. I tend to vote YES.

------- Comment #17 From Pierre-Yves Rofes 2007-05-31 09:27:58 0000 ------- 
I tend to vote NO.

------- Comment #18 From Raphael Marichez 2007-06-01 15:14:30 0000 ------- 
no and closing, feel free to reopen if you disagree
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug