96776 2005-06-22 04:33 0000 mail-filter/razor-2.72 DoS vulnerabilities 2005-07-04 13:35:27 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Other RESOLVED FIXED http://www200.pair.com/mecham/razor.html B3 [glsaupdate] jaervosz P2 minor --- 1 sascha.lucas@rus.uni-stuttgart.de security@gentoo.org jpr5+gentoo@darkridge.com kerframil@gmail.com net-mail@gentoo.org sascha.lucas@rus.uni-stuttgart.de 2005-06-22 04:33:36 0000 with special mails razor-agents-2.72 is still producing segmentation faults. Bug #96293 and #95492 says this is fixed, but I still have mails witch cause a crash. Please take a look at the URL above: Gary V summarizes the problem. I have 6 example mails witch crashes at 3 different points: preproc, computing sigs and later after connecting. Before, I manually installed razor-agents-2.67. The upgrade to 2.72 was done with portage. So I removed /usr/lib/perl5/site_perl/5.8.5/i686-linux/Razor2. Can someone reproduce this segmentation fault? Reproducible: Always Steps to Reproduce: 1. wget https://po2.uni-stuttgart.de/~ruslucas/email3.txt 2. razor-check -d email3.txt Actual Results: Jun 22 13:11:40.302704 check[19160]: [ 6] preproc: mail 1.1 went from 393 bytes to 356 Segmentation fault Expected Results: Jun 22 13:03:05.932889 check[18981]: [ 8] razor-check finished successfully. # emerge info Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4. 20041102-r1, 2.6.11-gentoo-r9 i686) ================================================================= System uname: 2.6.11-gentoo-r9 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz Gentoo Base System version 1.6.12 Python: dev-lang/python-2.3.5 [2.3.5 (#1, May 1 2005, 17:35:06)] distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/ share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb / usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/ texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp. uni-erlangen.de/pub/mirrors/gentoo" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 X aalib alsa apm arts avi bash-completion berkdb bitmap-fonts crypt cups curl divx4linux dvd eds emboss encode esd fam flac foomaticdb fortran gdbm gif gpm gtk gtk2 imagemagick imlib ipv6 java jpeg kde kdeenablefinal ldap libg++ libwww mad mikmod mmx mng motif mozilla mp3 mpeg ncurses nls nptl ogg oggvorbis opengl oss pam pdflib perl png python qt quicktime readline real sdl slang snmp softmmu spell sse ssl svg svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts unicode vorbis wmf xine xinerama xml2 xmms xprint xv xvid zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY jaervosz@gentoo.org 2005-06-22 04:47:44 0000 Taviso/Ticho please advise. jakub@gentoo.org 2005-06-22 05:07:05 0000 Yeah, segfaults here: Jun 22 14:05:00.977405 check[4248]: [ 2] Razor-Agents v2.72 starting razor-check -d email3.txt Jun 22 14:05:00.981279 check[4248]: [ 8] reading straight RFC822 mail from email3.txt Jun 22 14:05:00.981987 check[4248]: [ 6] read 1 mail Jun 22 14:05:00.982438 check[4248]: [ 8] Client supported_engines: 4 8 Jun 22 14:05:00.983592 check[4248]: [ 8] prep_mail done: mail 1 headers=92, mime0=572, mime1=393, mime2=3478 Jun 22 14:05:00.984140 check[4248]: [ 6] skipping whitelist file (empty?): /var/lib/amavis/.razor/razor-whitelist Jun 22 14:05:00.984587 check[4248]: [ 5] read_file: 1 items read from /var/lib/amavis/.razor/servers.discovery.lst Jun 22 14:05:00.985093 check[4248]: [ 5] read_file: 2 items read from /var/lib/amavis/.razor/servers.nomination.lst Jun 22 14:05:00.985621 check[4248]: [ 5] read_file: 1 items read from /var/lib/amavis/.razor/servers.catalogue.lst Jun 22 14:05:00.986228 check[4248]: [ 9] Assigning defaults to joy.cloudmark.com Jun 22 14:05:00.986592 check[4248]: [ 9] Assigning defaults to folly.cloudmark.com Jun 22 14:05:00.986836 check[4248]: [ 9] Assigning defaults to shock.cloudmark.com Jun 22 14:05:00.987814 check[4248]: [ 5] read_file: 16 items read from /var/lib/amavis/.razor/server.pride.cloudmark.com.conf Jun 22 14:05:00.988476 check[4248]: [ 5] read_file: 16 items read from /var/lib/amavis/.razor/server.pride.cloudmark.com.conf Jun 22 14:05:00.989098 check[4248]: [ 5] read_file: 15 items read from /var/lib/amavis/.razor/server.joy.cloudmark.com.conf Jun 22 14:05:00.989732 check[4248]: [ 5] read_file: 15 items read from /var/lib/amavis/.razor/server.joy.cloudmark.com.conf Jun 22 14:05:00.990367 check[4248]: [ 5] read_file: 15 items read from /var/lib/amavis/.razor/server.folly.cloudmark.com.conf Jun 22 14:05:00.990981 check[4248]: [ 5] read_file: 15 items read from /var/lib/amavis/.razor/server.folly.cloudmark.com.conf Jun 22 14:05:00.991670 check[4248]: [ 5] read_file: 16 items read from /var/lib/amavis/.razor/server.shock.cloudmark.com.conf Jun 22 14:05:00.992279 check[4248]: [ 5] read_file: 16 items read from /var/lib/amavis/.razor/server.shock.cloudmark.com.conf Jun 22 14:05:00.992691 check[4248]: [ 5] 54396 seconds before closest server discovery Jun 22 14:05:00.993017 check[4248]: [ 6] shock.cloudmark.com is a Catalogue Server srl 5084; computed min_cf=6, Server se: C8 Jun 22 14:05:00.993397 check[4248]: [ 8] Computed supported_engines: 4 8 Jun 22 14:05:00.993672 check[4248]: [ 8] Using next closest server shock.cloudmark.com:2703, cached info srl 5084 Jun 22 14:05:00.993921 check[4248]: [ 8] mail 1 Subject: Undelivered Mail Returned to Sender Jun 22 14:05:00.995543 check[4248]: [ 6] preproc: mail 1.0 went from 572 bytes to 535 Jun 22 14:05:00.996081 check[4248]: [ 6] preproc: mail 1.1 went from 393 bytes to 356 Segmentation fault ticho@gentoo.org 2005-06-22 05:12:41 0000 Patch taken from razor-users mailinglist[1] does help, but as the author himself says, there's no telling if this doesn't affect the functionality. It shouldn't, but I guess we should wait for the upstream to confirm this. 1. http://article.gmane.org/gmane.mail.spam.razor.user/3633 jaervosz@gentoo.org 2005-06-22 06:47:05 0000 Taviso just a segfault or is rce possible? jpr5+gentoo@darkridge.com 2005-06-24 09:23:34 0000 Adding self as one of the maintainers. Could you guys please add jpr5+gentoo@darkridge.com,mail@vipul.net in the future for all bugs against Razor? That way we would be able to address them much more quickly. FYI, this bug has been fixed internally and we are awaiting results from reporters before rolling the next release. We have also updated the test cases shipped with Razor to include the segfault cases and a few other anomalies we discovered in the process. jpr5+gentoo@darkridge.com 2005-06-28 19:20:28 0000 razor-agents 2.74 was just released, fixing this and several other bugs. You can find the latest release on the razor website, http://razor.sf.net/. geekypenguin@gmail.com 2005-06-28 19:23:19 0000 *** Bug 96917 has been marked as a duplicate of this bug. *** geekypenguin@gmail.com 2005-06-28 19:25:45 0000 ignore the last post unless you just feel like reading two different bug reports on different issues stupid bot of mine has an issue with reading Summary sorry dercorny@gentoo.org 2005-06-28 19:33:48 0000 net-mail, please bump. ticho@gentoo.org 2005-06-28 19:57:33 0000 Ebuild for 2.74 has been committed into portage, thanks, guys. security: I'll mark x86 stable here as soon as you put this bug into stabilization stage, allowing myself some time to have few mails passed through razor, ensuring nothing's obviously broken. Thus, no need to CC x86@. dercorny@gentoo.org 2005-06-28 20:15:23 0000 calling arches - please test and mark stable. thanks for bumping so fast. ticho@gentoo.org 2005-06-28 20:43:01 0000 x86 stable jaervosz@gentoo.org 2005-06-28 23:34:50 0000 I propose that we release this as an update to GLSA 200506-17. However the GLSA is complicated by being combined with SA. gustavoz@gentoo.org 2005-06-29 06:22:42 0000 sparc stable. kerframil@gmail.com 2005-06-29 19:05:54 0000 The 2.74 ebuild causes a reproducible sandbox violation here: chmod: /usr/share/man/man5/razor-agent.conf.5 unlink: /usr/share/man/man5/razor-agent.conf.5 I noticed this also when I was testing a homebrew ebuild for a release candidate (2.74_RC4 to be precise) and had intended to report this prior to the final release hitting the portage tree; I apologise that I did not manage to do so. The introduction of this issue is related to this item in the release notes: * Fixed installation of man(5) pages by non-root users to local man directories. [Patch #1227162] Here's a link to the patch in question http://tinyurl.com/dub5p. My approach is to change Makefile.PL:60 from: INSTALLMAN5DIR = $(PREFIX)/share/man/man5 to: INSTALLMAN5DIR = $(DESTDIR)/$(PREFIX)/share/man/man5 which completely solved the problem here. Whatever the approach, I would humbly suggest that the ebuild is silently bumped as soon as reasonably possible. ticho@gentoo.org 2005-06-29 19:39:43 0000 Fixed in 2.74 in CVS, thanks. Funny thing is, I was able to merge 2.74 succesfully several times earlier today, and literally nothing has changed on my system since then, yet now the ebuild gave sandbox violations prior to the fix. kerframil@gmail.com 2005-06-29 19:48:09 0000 Re comment 16: Yes indeed. I had it occur with the release candidate then, quite literally as I was writing about it in an email, it stopped happening but only for a while! Very odd. dercorny@gentoo.org 2005-06-30 00:50:26 0000 Recalling sparc: the ebuild needed a small change and was silently bumped after you marked it stable (see comments above), you might want to retest. gustavoz@gentoo.org 2005-06-30 06:23:10 0000 Looks good too, thanks for the headsup. hansmi@gentoo.org 2005-06-30 11:40:10 0000 Stable on ppc. kloeri@gentoo.org 2005-06-30 15:53:27 0000 Stable on alpha. herbs@gentoo.org 2005-07-03 14:38:25 0000 Stable on amd64. dercorny@gentoo.org 2005-07-03 14:51:38 0000 Ready for GLSA vote (note jaervosz's proposal in comment #13 before voting). koon@gentoo.org 2005-07-04 00:28:45 0000 Yes, as an update to the previous one. koon@gentoo.org 2005-07-04 06:19:22 0000 jaervosz agrees jaervosz@gentoo.org 2005-07-04 13:35:27 0000 GLSA 200506-17 UPDATE