181941 2007-06-13 19:36 0000 mail-filter/spamassassin Symlink DoS issue (CVE-2007-2873) 2007-07-13 16:19:26 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://spamassassin.apache.org/advisories/cve-2007-2873.txt C3? [noglsa] jaervosz P2 minor --- 1 jaervosz@gentoo.org security@gentoo.org coran.fisher@gmail.com gentoo@valli.org mips@gentoo.org perl@gentoo.org jaervosz@gentoo.org 2007-06-13 19:36:46 0000 CVE reference: CVE-2007-2873 Description: A local user symlink-attack DoS vulnerability in SpamAssassin has been found, affecting versions 3.1.x, 3.2.0, and SVN trunk. It has been assigned CVE-2007-2873. Details: - It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND with the "-l"/"--allow-tell" switch. This is not default on any distro package, and is not a common configuration. - It is a local exploit that requires the attacker to have a local account whose mail is being processed by spamd. - The effect of the exploit is to allow overwriting of arbitrary files that are accessible by the spamd process (running as root), with data that is not under the control of the attacker. Hence it is a DoS vulnerability that does not allow remote execution nor escalation of local privileges. Workaround: If you are running spamd using a vulnerable combination of switches, add the "-u" / "--username" switch to specify a non-root user that spamd child processes will run as. Note that in a mixed real/virtual user environment you will now have to run two separate instances of spamd on different ports, with the instance that specifies "-v"/"--vpopmail" or "--virtual-config-dir" also specifying "-u"/"--username". Fix: The vulnerability is fixed in SpamAssassin version 3.2.1 by, among other fixes, no longer allowing the use of "-v"/"--vpopmail" or "--virtual-config-dir" without the "-u"/"--username" switch. Thus, the configuration change described in the above workaround is still necessary when upgrading to 3.2.1. Further info: mail <security at SpamAssassin.apache.org> Announced: Jun 11 2007 Corrected: Jun 11 2007 Affects: all versions before the correction date, after and including 3.1.0 Credit: discovery of this vulnerability credited to Martin F. Krafft <madduck@debian.org> jakub@gentoo.org 2007-06-15 14:15:10 0000 *** Bug 182149 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2007-06-16 06:18:29 0000 perl please advise and bump as necessary. coran.fisher@gmail.com 2007-06-16 14:46:37 0000 3.2.1 is a major bug-fix release, including a potential local DoS. The major highlights are: - bug 5480: fix for CVE-2007-2873: a local user symlink-attack DoS vulnerability. It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND with the "-l"/"--allow-tell" switch. This is not default on any distro package, and is not a common configuration. More details of the vulnerability can be read at <http://spamassassin.apache.org/advisories/cve-2007-2873.txt>. <list of other bugs truncated as they aren't related to this bug> ian@gentoo.org 2007-06-17 12:49:53 0000 It's failing in tests for me. So no bump from me currently. mcummings@gentoo.org 2007-06-18 16:08:01 0000 hmmm...passed all tests over here (hence my bump when i saw the update notice from apache.org, irrespective of this bug). where's it failing ian? mcummings@gentoo.org 2007-06-18 22:46:36 0000 http://www.gossamer-threads.com/lists/spamassassin/users/102895 tests seem broken for root. running as a regular user produces success t/utf8......................ok t/util_wrap.................ok t/whitelist_addrs...........ok t/whitelist_from............ok t/whitelist_subject.........ok t/whitelist_to..............ok t/zz_cleanup................ok All tests successful, 16 tests skipped. Files=129, Tests=1985, 582 wallclock secs (288.68 cusr + 22.90 csys = 311.58 CPU) Move to disable tests for this release (especially if we're looking at a gsla related keywording) jaervosz@gentoo.org 2007-06-23 18:02:30 0000 Thx Micheal. Arches please test and mark stable. Target keywords are: spamassassin-3.2.1-r1.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" angelos@gentoo.org 2007-06-23 18:26:15 0000 amd64 done jer@gentoo.org 2007-06-23 23:57:21 0000 Marked stable for HPPA: dev-util/re2c-0.12.0 mail-filter/spamassassin-3.2.1-r1 armin76@gentoo.org 2007-06-24 15:30:57 0000 alpha/ia64/x86 stable dertobi123@gentoo.org 2007-06-24 19:51:52 0000 ppc stable gustavoz@gentoo.org 2007-06-25 13:28:18 0000 sparc stable. corsair@gentoo.org 2007-06-26 05:47:26 0000 ppc64 stable jaervosz@gentoo.org 2007-07-01 02:23:07 0000 This one is ready for GLSA decision. I vote NO. py@gentoo.org 2007-07-01 09:51:03 0000 voting NO too. aetius@gentoo.org 2007-07-02 21:47:14 0000 vote no, too specific and extremely unlikely. dercorny@gentoo.org 2007-07-13 16:19:26 0000 yet another no and closing