88904 2005-04-12 15:25 0000 mail-filter/gld: Format String Flaws and Buffer Overflows 2005-04-13 05:23:06 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://securitytracker.com/alerts/2005/Apr/1013678.html B0 [glsa] jaervosz P2 blocker --- 1 formula7@gentoo.org security@gentoo.org net-mail@gentoo.org formula7@gentoo.org 2005-04-12 15:25:14 0000 Version(s): 1.3, 1.4 Description: dong-hun you from INetCop Security reported several vulnerabilities in Gld. A remote user can obtain root privileges. The 'server.c' file contaisn several buffer overflows. A remote user can supply specially crafted input to trigger a buffer overflow and execute arbitrary code. The 'cnf.c' file contains several format string vulnerabilities, where user-supplied data is not properly validated and is passed to a syslog() call without the appropriate format string specifier. A remote user can supply specially crafted input to execute arbitrary code with root privileges. Impact: A remote user can execute arbitrary code with root privileges. Solution: No solution was available at the time of this entry. jaervosz@gentoo.org 2005-04-12 23:07:09 0000 auditors and/or net-mail please advise. tigger@gentoo.org 2005-04-13 02:12:38 0000 despite the various "this is safe" comments in the source code, it hasn't been thought out so well. perl -e 'print "request=" . ("x" x 2000) . "\n\n"' | nc localhost 2525 Overflow at: server.c:265 strcpy without proper length checks (despite comments in the code which say otherwise). attacker decides what lands on the stack, so its easily exploitable. jaervosz@gentoo.org 2005-04-13 02:55:24 0000 Has upstream been informed about this? jaervosz@gentoo.org 2005-04-13 03:02:53 0000 Bummer, cached page here. 1.5 is released today. net-mail please bump. ticho@gentoo.org 2005-04-13 03:04:33 0000 I'll do it. jaervosz@gentoo.org 2005-04-13 03:15:30 0000 Default config IS affected -> upgrading severity. net-mail please provide a better default than this: # # Shall we bind only to loopback ? (0=No,1=Yes) (default is 0) # LOOPBACKONLY=0 # # The list of networks allowed to connect to us (default is everybody) # The format is network/cidrmask,.... # # Uncomment the line to activate it. # #CLIENTS=192.168.168.0/24 172.16.0.0/19 127.0.0.1/32 jaervosz@gentoo.org 2005-04-13 03:24:28 0000 net-mail please also fix the default user. Right now the default config make it run with root privs: # # The user used to run gld (default value is no user change) # uncomment the line to activate it. # #USER=nobody # # The group used to run gld (default value is no group change) # uncomment the line to activate it. # #GROUP=nobody ticho@gentoo.org 2005-04-13 03:30:42 0000 Ebuild for 1.5 in portage, x86 stable. jaervosz@gentoo.org 2005-04-13 03:42:11 0000 amd64 please test and mark stable ASAP. jaervosz@gentoo.org 2005-04-13 03:56:12 0000 amd64 please cvs up if you're already started: [12:56:33] <@Ticho> jaervosz: updated the gld ebuild, since it installed few files in wrong places ticho@gentoo.org 2005-04-13 04:35:25 0000 It seems to work just fine on a busy amd64 mailserver I admin. Marked stable on amd64. jaervosz@gentoo.org 2005-04-13 04:37:46 0000 Thx everyone. This one is ready for glsa. jaervosz@gentoo.org 2005-04-13 05:23:06 0000 GLSA 200504-10