109381 2005-10-15 10:06 0000 mail-mta/xmail: security update + init script forgets to copy resolve libs 2005-12-14 09:52:40 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B1 [glsa] P2 major --- 1 quinox_san_@hotmail.com security@gentoo.org net-mail@gentoo.org quinox_san_@hotmail.com 2005-10-15 10:06:01 0000 After upgrading packages on my system the XMail server didn't download pop3link mail any more - in debug mode it would print messages like this: << ErrCode = -40 ErrString = Invalid server address ErrInfo = ***.homelinux.net [PSYNC/MASQ] MasqDomain = "qtea.nl,qtea.nl" - RmtDomain = "***.homelinux.net" - RmtName = "quinox" Failed ! >> After some testing I found out that wget had the same problem in the chrooted directory, and after some googling I found http://blog.gmane.org/gmane.comp.apache.mod-security.user/day=20040711 . Copying those 3 files mentioned in that post: libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 to the /chroot/xmail/lib directory fixed my problem. ATM the init script copies all libs mentioned in ldd XMail - The resolve libs are not listed there. IMO these will have to be copied by the init.d script too before starting XMail PS: XMail 1.22 has been released a few days ago and isn't in portage yet - it has a security update to fix a buffer overflow with the local sendmail prog (CAN-2005-2943): http://www.xmailserver.org/ChangeLog.html#oct_12__2005_v_1_22 http://www.idefense.com/application/poi/display?id=321&type=vulnerabilities Reproducible: Always Steps to Reproduce: 1. 2. 3. quinox_san_@hotmail.com 2005-12-10 03:36:30 0000 Noone ? It is kind of bad if we leave an exploitable version of a mail server in portage for this long :/ lcars@gentoo.org 2005-12-10 04:00:43 0000 1.22 is masked in the tree (wait a few minutes for mirrors to pick it up), could you please test it and see if it works for you so that I can remove the vuln package and have the sec team issuing a GLSA? (Moving to Security) quinox_san_@hotmail.com 2005-12-10 05:10:39 0000 It compiles without any problems and it runs fine :) koon@gentoo.org 2005-12-11 10:01:06 0000 x86 or maintainer can go ahead and mark stable koon@gentoo.org 2005-12-12 07:23:57 0000 CVE-2005-2943 Local exploitation of a buffer overflow vulnerability in XMail, as distributed with multiple vendors' operating systems, allows local attackers to execute arbitrary code with elevated privileges. koon@gentoo.org 2005-12-14 09:52:40 0000 GLSA 200512-05