Gentoo Bug 88904 - mail-filter/gld: Format String Flaws and Buffer Overflows

Description:

Opened: 2005-04-12 15:25 0000

Version(s): 1.3, 1.4
Description:  dong-hun you from INetCop Security reported several vulnerabilities in Gld. A remote user can obtain root privileges.

The 'server.c' file contaisn several buffer overflows. A remote user can supply specially crafted input to trigger a buffer overflow and execute arbitrary code.

The 'cnf.c' file contains several format string vulnerabilities, where user-supplied data is not properly validated and is passed to a syslog() call without the appropriate format string specifier. A remote user can supply specially crafted input to execute arbitrary code with root privileges.
Impact:  A remote user can execute arbitrary code with root privileges.

Solution:  No solution was available at the time of this entry.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-04-12 23:07:09 0000 -------

auditors and/or net-mail please advise.

------- Comment #2 From rob holland (RETIRED) 2005-04-13 02:12:38 0000 -------

despite the various "this is safe" comments in the source code, it hasn't been
thought out so well.

perl -e 'print "request=" . ("x" x 2000) . "\n\n"' | nc localhost 2525

Overflow at: server.c:265

strcpy without proper length checks (despite comments in the code which say
otherwise).

attacker decides what lands on the stack, so its easily exploitable.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-04-13 02:55:24 0000 -------

Has upstream been informed about this?

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-04-13 03:02:53 0000 -------

Bummer, cached page here. 1.5 is released today. 

net-mail please bump.

------- Comment #5 From Andrej Kacian (RETIRED) 2005-04-13 03:04:33 0000 -------

I'll do it.

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-04-13 03:15:30 0000 -------

Default config IS affected -> upgrading severity.

net-mail please provide a better default than this:

#
# Shall we bind only to loopback ? (0=No,1=Yes) (default is 0)
#
LOOPBACKONLY=0

#
# The list of networks allowed to connect to us (default is everybody)
# The format is network/cidrmask,....
#
# Uncomment the line to activate it.
#
#CLIENTS=192.168.168.0/24 172.16.0.0/19 127.0.0.1/32

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-04-13 03:24:28 0000 -------

net-mail please also fix the default user. Right now the default config make it
run with root privs:

#
# The user used to run gld (default value is no user change)
# uncomment the line to activate it.
#
#USER=nobody

#
# The group used to run gld (default value is no group change)
# uncomment the line to activate it.
#
#GROUP=nobody

------- Comment #8 From Andrej Kacian (RETIRED) 2005-04-13 03:30:42 0000 -------

Ebuild for 1.5 in portage, x86 stable.

------- Comment #9 From Sune Kloppenborg Jeppesen 2005-04-13 03:42:11 0000 -------

amd64 please test and mark stable ASAP.

------- Comment #10 From Sune Kloppenborg Jeppesen 2005-04-13 03:56:12 0000 -------

amd64 please cvs up if you're already started:

[12:56:33] <@Ticho> jaervosz: updated the gld ebuild, since it installed few files in wrong places

------- Comment #11 From Andrej Kacian (RETIRED) 2005-04-13 04:35:25 0000 -------

It seems to work just fine on a busy amd64 mailserver I admin. Marked stable on
amd64.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-04-13 04:37:46 0000 -------

Thx everyone. This one is ready for glsa.

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-04-13 05:23:06 0000 -------

GLSA 200504-10

Bug 88904 depends on:			Show dependency tree Show dependency graph
Bug 88904 blocks:			Show dependency tree Show dependency graph

Bugzilla Bug 88904

mail-filter/gld: Format String Flaws and Buffer Overflows

Last modified: 2005-04-13 05:23:06 0000