60844 2004-08-18 21:14 0000 net-mail/vpopmail < 5.4.6 buffer overflow & sql injection 2004-09-01 08:36:34 0000 1 1 1 Unclassified Gentoo Linux Ebuilds 1.4 All All RESOLVED FIXED http://www.kupchino.org.ru/unl0ck/advisories/vpopmail.txt C2 [glsa+] P2 critical --- 57617 1 rajiv@gentoo.org security@gentoo.org net-mail@gentoo.org rajiv@gentoo.org 2004-08-18 21:14:26 0000 not sure if we support vpopmail+sybase on gentoo but we should get 5.4.5 (see bug 57617) in portage and marked stable. no glsa needed for this one, risk is low. .:: Security Advisory ::. by unl0ck team [http://unl0ck.host.kz] _ _ ___ _ __ _ _ | | _ | _ _ |/ | |_ |__| |\/| |__| | | | |_| |_ _|\_ | |_ | | | | Advisory: #2 by unl0ck team Bug: buffer overflow (sybase) and maybe SQL injection Product: vpopmail <= 5.4.2 (sybase vulnerability) Author: Werro [werro@list.ru] Realease Date : 12/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://unl0ck.host.kz/advisories Overview: vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. Details: Bugs were founded in SyBase. In vsybase.c file. -------------------\ char dirbuf[156]; \__Vulnerability___________________________________________________ ... | if ( strlen(dir) > 0 ) | { | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); | ^^^^^^^ - buffer overflow | }else{ | sprintf(dirbuf, "%s/%s", dom_dir, user); | ^^^^^^^ - buffer overflow | } | ... | _____________________________________________| ----------------------------------------/ To avoid this bugs, you must use snprintf() with format like "%s". 12/08/04. (c) by unl0ck team. http://unl0ck.host.kz/ jaervosz@gentoo.org 2004-08-18 22:35:11 0000 It appears that the vulnerable code is not fixed in 5.4.5 (vsybase.c lines 185-187 and 192-196). http://www.securityfocus.com/archive/1/371913/2004-08-15/2004-08-21/0 rajiv@gentoo.org 2004-08-20 11:36:03 0000 vpopmail 5.4.6 has been released: http://sourceforge.net/forum/forum.php?forum_id=400873 Posted By: tomcollins Date: 2004-08-19 10:07 Summary: vpopmail 5.4.6 addresses SQL injection vulnerability. We recommend that all vpopmail users upgrade to the 5.4.6 release, as it addresses SQL injection vulnerabilities. This code was tested in the 5.5.0 release from March, and has been in use on multiple production machines without any reported bugs. rajiv@gentoo.org 2004-08-20 11:40:29 0000 some more details on what is fixed in 5.4.6: http://sourceforge.net/mailarchive/forum.php?thread_id=5038575&forum_id=34827 From: Tom Collins <tom@to...> Vpopmail 5.4.6 released 2004-06-30 22:34 http://vpopmail.sf.net/ Release Notes: This release is identical to 5.4.5, but with the addition of all patches included in 5.5.0. These patches, related to the database backends, include code to protect against SQL exploits (where user-entered data isn"t escaped before placing it in a query). All queries are built with a modified version of sprintf that escapes dangerous characters from strings. 5.5.0 has been out for over 3 months with some people using it in production environments without any reports of problems. Even so, this will be a devel release until others can do more production testing. ChangeLog: Tom Collins - Consolidate table creation code in vmysql.c and vpgsql.c. - Increase SQL_BUF_SIZE from 600 to 2048 for Oracle, Postgres and Sybase. - Add qnprintf() to vpopmail.c for escaping strings in SQL queries. - Use qnprintf() when building queries in vmysql.c, vpgsql.c, voracle.pc, and vsybase.c. - Multiple fixes to vpgsql.c related to freeing PGresults and attempting to access NULL PGresults when reporting errors. rajiv@gentoo.org 2004-08-20 11:42:30 0000 more details on what was fixed in 5.4.5: http://sourceforge.net/mailarchive/forum.php?thread_id=5005922&forum_id=34827 From: Tom Collins <tom@to...> Vpopmail 5.4.5 released 2004-06-25 18:18 http://vpopmail.sf.net Release Notes: There are significant changes in here for MySQL and Postgres backends. If you had problems with Postgres and roaming users, you should definitely upgrade. If you"ve had errors stating "couldn"t create table/database because it already exists" with MySQL, you should definitely upgrade. ChangeLog: fernando (at) telemacro (dot) com (dot) br - Patch for vpgsql.c fixes bug with Postgres and roaming users (POP before SMTP). [895501] Fran rajiv@gentoo.org 2004-08-20 11:42:30 0000 more details on what was fixed in 5.4.5: http://sourceforge.net/mailarchive/forum.php?thread_id=5005922&forum_id=34827 From: Tom Collins <tom@to...> Vpopmail 5.4.5 released 2004-06-25 18:18 http://vpopmail.sf.net Release Notes: There are significant changes in here for MySQL and Postgres backends. If you had problems with Postgres and roaming users, you should definitely upgrade. If you"ve had errors stating "couldn"t create table/database because it already exists" with MySQL, you should definitely upgrade. ChangeLog: fernando (at) telemacro (dot) com (dot) br - Patch for vpgsql.c fixes bug with Postgres and roaming users (POP before SMTP). [895501] Françoi Wautier - Fix method used to open database in vauth_open_update of vmysql.c. [967994, 946983] Pit Palme - Show "delete" as valid option to vdelivermail in docs. [951245] rstml - Hide error message during POP3 auth with Postgres. [915485] Tom Collins - Fix `vuserinfo -l` output, based on Bill Shupp"s patch (moved code to a single function call). [961742] langthang@gentoo.org 2004-08-20 16:09:22 0000 vpopmail-5.4.6 is in CVS. Thanks. vapier@gentoo.org 2004-08-20 17:33:28 0000 need some stable loving pvdabeel@gentoo.org 2004-08-21 12:09:29 0000 tested and stable on ppc langthang@gentoo.org 2004-08-21 13:37:03 0000 stable on x86. remove x86 from CC. Still need sparc keyword. robbat2@gentoo.org 2004-08-21 19:04:28 0000 ppc and x86: i'm just wondering how you 'tested' the ebuild, given the SRC_URI was wrong and RESTRICT=nouserpriv was removed. and well as the totally broken --enable-mysql being put back into the ebuild. i've put -r1 into the tree, with fixes so that it can download, and build and work properly. langthang@gentoo.org 2004-08-21 19:32:32 0000 Sorry, It was my fault. 1. In an attempt to clean up SRI, I "backspace" two much without notice because I already have a tarball. 2. I bumped from vpopmail-5.4.0.ebuild instead vpopmail-5.4.0-r1.ebuild which have the fix for the broken --enable-mysql and the added RESTRICT=nouserpriv. Again, sorry for any inconvenience that I've caused. pvdabeel@gentoo.org 2004-08-21 20:07:27 0000 pvdabeel@dual-g5 vpopmail $ splat vpopmail * net-mail/vpopmail-5.4.6 Emerged at: Sat Aug 21 21:07:51 2004 Build time: 32 seconds * net-mail/vpopmail-5.4.6-r1 Emerged at: Sun Aug 22 04:58:29 2004 Build time: 1 minute, and 11 seconds I downloaded the tarball manually, because the local sourceforge mirror kept timing out. Thought it was SF related. Anyway. As illustrated above, -r1 builds just fine on ppc too. weeve@gentoo.org 2004-08-21 21:20:07 0000 Stable on sparc lv@gentoo.org 2004-08-22 14:55:55 0000 amd64 doesnt have an insecure version in stable to displace (we dont have any version stable). so i'm removing amd64 from CC without marking this version stable. jaervosz@gentoo.org 2004-08-25 23:32:46 0000 x86 please mark stable I agree with rajiv that if this issue was only with Sybase we would probably not issue a GLSA however from the Changelog reference and http://sourceforge.net/forum/forum.php?forum_id=400873 it seems clear that the SQL injection might not be limited to Sybase. jaervosz@gentoo.org 2004-09-01 08:36:34 0000 GLSA 200409-01