153896 2006-11-02 20:20 0000 net-mail/qmailadmin: Buffer overflow (CVE-2006-1141) 2007-02-11 11:14:15 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B1 [glsa] Falco P2 critical --- 1 bugs@datasecu.com security@gentoo.org qmail-bugs@gentoo.org robbat2@gentoo.org bugs@datasecu.com 2006-11-02 20:20:40 0000 CVE reference: CVE-2006-1141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1141 Solution : Install qmailadmin 1.2.10 bugs@datasecu.com 2006-11-02 20:25:23 0000 Created an attachment (id=101122) New version qmailafin 1.2.10 falco@gentoo.org 2006-11-03 12:03:47 0000 This bug is already public. Please don't restrict public vulnerabilities. The herd can't see the bug. robbat2, please bump out the fixed version (1.2.10) or patch, thanks. I couldn't find a similar bug, we've probably missed it. vorlon@gentoo.org 2006-11-10 05:57:48 0000 robbat2/qmail herd, any news? robbat2@gentoo.org 2006-11-11 03:03:38 0000 1.2.10 in CVS now. Took some work to find that it now needed RESTRICT=userpriv to compile successfully. jaervosz@gentoo.org 2006-11-11 04:27:46 0000 Arhces please test and mark stable. Target keywords are: amd64 arm hppa ppc sparc x86 maekke@gentoo.org 2006-11-11 16:06:37 0000 net-mail/qmailadmin-1.2.10 USE="-maildrop" 1. emerges on x86, please note: QA Notice: the following files are setXid, dyn linked, and using lazy bindings LAZY var/www/localhost/cgi-bin/qmailadmin 2. passes collision test 3. seems to work as the cgi-bin/qmailadmin shows up. (don't have a qmail setup to test further) Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.1 i686) ================================================================= System uname: 2.6.18.1 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Sat, 11 Nov 2006 22:30:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY dertobi123@gentoo.org 2006-11-13 09:45:04 0000 ppc stable killerfox@gentoo.org 2006-11-13 12:10:44 0000 stable on hppa thedude0001@gmx.de 2006-11-13 20:07:26 0000 Emerges fine on amd64 and seems to be working... Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.6 Last Sync: Mon, 13 Nov 2006 05:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS fauli@gentoo.org 2006-11-13 22:10:38 0000 x{72-8} is done fauli@gentoo.org 2006-11-13 22:16:35 0000 (In reply to comment #10) > x{72-8} is done I always was bad at math. Ugh. gustavoz@gentoo.org 2006-11-15 07:24:55 0000 sparc stable. wolf31o2@gentoo.org 2006-11-15 08:10:16 0000 amd64 done vorlon@gentoo.org 2006-11-15 13:38:48 0000 ready for GLSA jaervosz@gentoo.org 2006-11-20 11:16:25 0000 It's setuid root rerating. robbat2@gentoo.org 2006-11-20 15:48:20 0000 jaervosz: qmailadmin is NOT setuid root. It's setuid vpopmail:vpopmail. This is so it has access to files that are 0640/root:vpopmail and vpopmail:vpopmail. jaervosz@gentoo.org 2006-11-20 21:34:53 0000 Thx Robbat for clearing this up and installing it this non-standard way. robbat2@gentoo.org 2006-11-20 22:19:14 0000 it's not non-standard, the setuid vpopmail is done by upstream (after you tell it what your vpopmail user is). jaervosz@gentoo.org 2006-11-21 07:23:09 0000 GLSA 200611-15 101122 2006-11-02 20:25 0000 New version qmailafin 1.2.10 qmailadmin-1.2.10.ebuild application/octet-stream IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC1tYWlsL3FtYWlsYWRtaW4vcW1haWxhZG1p bi0xLjIuMTAuZWJ1aWxkLHYgMS4yIDIwMDYvMDQvMTIgMDA6NDI6MzggdmFwaWVyIEV4cCAkCgpp bmhlcml0IGV1dGlscwoKTVlfUFY9IiR7UFYvX3JjLy1yY30iCk1ZX1A9IiR7UE59LSR7TVlfUFZ9 IgpERVNDUklQVElPTj0iQSB3ZWIgaW50ZXJmYWNlIGZvciBtYW5hZ2luZyBhIHFtYWlsIHN5c3Rl bSB3aXRoIHZpcnR1YWwgZG9tYWlucyIKSE9NRVBBR0U9Imh0dHA6Ly93d3cuaW50ZXI3LmNvbS8k e1BOfS5odG1sIgpTUkNfVVJJPSJtaXJyb3I6Ly9zb3VyY2Vmb3JnZS8ke1BOfS8ke01ZX1B9LnRh ci5neiIKCkxJQ0VOU0U9IkdQTC0yIgpTTE9UPSIwIgpLRVlXT1JEUz0ifmFtZDY0IH5hcm0gfmhw cGEgfnBwYyB+c3BhcmMgfng4NiIKSVVTRT0ibWFpbGRyb3AiCgpERVBFTkQ9InZpcnR1YWwvcW1h aWwKCT49bmV0LW1haWwvdnBvcG1haWwtNS4zCgluZXQtbWFpbC9hdXRvcmVzcG9uZAoJbWFpbGRy b3A/ICggPj1tYWlsLWZpbHRlci9tYWlsZHJvcC0yLjAuMSApIgpSREVQRU5EPSIke0RFUEVORH0K CW5ldC13d3cvYXBhY2hlIgoKUz0ke1dPUktESVJ9LyR7TVlfUH0KCnNyY191bnBhY2soKSB7Cgl1 bnBhY2sgJHtBfQoJY2QgIiR7U30iCgllcGF0Y2ggIiR7RklMRVNESVJ9Ii8ke1B9LW1haWxkaXIu cGF0Y2gKfQoKc3JjX2NvbXBpbGUoKSB7Cglsb2NhbCBkaXJfdnBvcG1haWw9Ii92YXIvdnBvcG1h aWwiCglsb2NhbCBkaXJfdmhvc3Q9Ii92YXIvd3d3L2xvY2FsaG9zdCIKCWxvY2FsIGRpcl9odGRv Y3M9IiR7ZGlyX3Zob3N0fS9odGRvY3MvJHtQTn0iCglsb2NhbCBkaXJfaHRkb2NzX2ltYWdlcz0i JHtkaXJfaHRkb2NzfS9pbWFnZXMiCglsb2NhbCB1cmxfaHRkb2NzX2ltYWdlcz0iLyR7UE59L2lt YWdlcyIKCWxvY2FsIGRpcl9jZ2liaW49IiR7ZGlyX3Zob3N0fS9jZ2ktYmluIgoJbG9jYWwgdXJs X2NnaWJpbj0iL2NnaS1iaW4vJHtQTn0iCglsb2NhbCBkaXJfaHRkb2NzX2h0bWxpYj0iL3Vzci9z aGFyZS8ke1BOfS9odG1sbGliIgoJbG9jYWwgZGlyX3FtYWlsPSIvdmFyL3FtYWlsIgoJbG9jYWwg ZGlyX3RydWU9Ii9iaW4iCglsb2NhbCBkaXJfZXptbG09Ii91c3IvYmluIgoJbG9jYWwgZGlyX2F1 dG9yZXNwb25kPSIvdmFyL3FtYWlsL2JpbiIKCgkjIFBhc3Mgc3BhbSBzdHVmZiB0aHJvdWdoICRA IHNvIHdlIGdldCB0aGUgcXVvdGluZyByaWdodAoJaWYgdXNlIG1haWxkcm9wIDsgdGhlbgoJCXNl dCAtLSAtLWVuYWJsZS1tb2RpZnktc3BhbSBcCgkJCS0tZW5hYmxlLXNwYW0tY29tbWFuZD0nfHBy ZWxpbmUgbWFpbGRyb3AgL2V0Yy9tYWlsZHJvcHJjJwoJZWxzZQoJCXNldCAtLQoJZmkKCgllY29u ZiBcCgkJLS1lbmFibGUtdmFsaWFzIFwKCQktLWVuYWJsZS12cG9wbWFpbGRpcj0ke2Rpcl92cG9w bWFpbH0gXAoJCS0tZW5hYmxlLWh0bWxkaXI9JHtkaXJfaHRkb2NzfSBcCgkJLS1lbmFibGUtaW1h Z2V1cmw9JHt1cmxfaHRkb2NzX2ltYWdlc30gXAoJCS0tZW5hYmxlLWltYWdlZGlyPSR7ZGlyX2h0 ZG9jc19pbWFnZXN9IFwKCQktLWVuYWJsZS1odG1sbGliZGlyPSR7ZGlyX2h0ZG9jc19odG1saWJ9 IFwKCQktLWVuYWJsZS1xbWFpbGRpcj0ke2Rpcl9xbWFpbH0gXAoJCS0tZW5hYmxlLXRydWUtcGF0 aD0ke2Rpcl90cnVlfSBcCgkJLS1lbmFibGUtZXptbG1kaXI9JHtkaXJfZXptbG19IFwKCQktLWVu YWJsZS1jZ2liaW5kaXI9JHtkaXJfY2dpYmlufSBcCgkJLS1lbmFibGUtY2dpcGF0aD0ke3VybF9j Z2liaW59IFwKCQktLWVuYWJsZS1hdXRvcmVzcG9uZGVyLXBhdGg9JHtkaXJfYXV0b3Jlc3BvbmR9 IFwKCQktLWVuYWJsZS1kb21haW4tYXV0b2ZpbGwgXAoJCS0tZW5hYmxlLW1vZGlmeS1xdW90YSBc CgkJLS1lbmFibGUtbm8tY2FjaGUgXAoJCS0tZW5hYmxlLW1heHVzZXJzcGVycGFnZT01MCBcCgkJ LS1lbmFibGUtbWF4YWxpYXNlc3BlcnBhZ2U9NTAgXAoJCS0tZW5hYmxlLXZwb3B1c2VyPXZwb3Bt YWlsIFwKCQktLWVuYWJsZS12cG9wZ3JvdXA9dnBvcG1haWwgXAoJCSIkQCIgXAoJCXx8IGRpZSAi ZWNvbmYgZmFpbGVkIgoJZW1ha2UgfHwgZGllCn0KCnNyY19pbnN0YWxsKCkgewoJbWFrZSBERVNU RElSPSIke0R9IiBpbnN0YWxsIHx8IGRpZQoJZG9kb2MgQVVUSE9SUyBJTlNUQUxMIFJFQURNRS5o b29rcyBCVUdTIFRPRE8gQ2hhbmdlTG9nIFRSQU5TTEFUT1JTIE5FV1MgRkFRIFJFQURNRSBjb250 cmliLyoKfQoKcGtnX3Bvc3RpbnN0KCkgewoJZWluZm8gIklmIHlvdSB3b3VsZCBsaWtlIHN1cHBv cnQgZm9yIGV6bWxtIG1haWxpbmcgbGlzdHMgaW5zaWRlIHFtYWlsYWRtaW4sIgoJZWluZm8gInBs ZWFzZSBlbWVyZ2Ugc29tZSB2YXJpYW50IG9mIGV6bWxtLWlkeC4iCn0K