Bug 133800 - mail-filter/popfile: DoS (CVE-2006-0876)
|
Bug#:
133800
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: falco@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0876
|
|
Summary: mail-filter/popfile: DoS (CVE-2006-0876)
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa] Falco
|
|
Opened: 2006-05-19 11:36 0000
|
POPFile before 0.22.4 allows remote attackers to cause a denial of service
(application crash) via unspecified vectors involving character sets within
e-mail messages.
CCing mcummings in order to progress on this vuln.
(and adding CVE id)
POPfile 0.22.4 has been committed to the tree. It will need stabilising on
x86.
Best regards,
Stu
Thx SuperStu. x86 please test and mark stable.
popfile installs, however its failing while trying to locate the Loader.. The
following is the error:
Can't Locate POPFile/Loader.pm at @INC (include is all the following locations,
perl knows them).
Begin failed--compilation aborted at /usr/share/popfile/popfile.pl line75.
please advise.
Current stable fails the same way, and also doesn't work out of the box due to
a bad chmod. The location of this file also sucks since it isn't in the user's
path. I'm wondering if we should just put this back to ~x86 until it is more
developed and easier to use.
Seems like a candidate for ~ rather than stable to me.
Stuart please advise.
I removed "x86" from the only stable version we had, so now the only versions
we have keyworded are ~x86. I put that version to -* so that the maintainers
can decide when to drop it.
So...we are done :)
Hi,
The popfile-0.22.4 install is working fine locally. To run it,
cd /usr/share/popfile && ./popfile.pl
I'd like to see this version stable on x86, to provide an upgrade for everyone
running the older version.
Best regards,
Stu
SupterStu, does that mean that pkg_postinst is out of date or does running it
like /usr/share/popfile/popfile.pl also work?
Security, since this is a B3 we at least need a vote on (mask) GLSA.
I just talked to Stuart and we worked out a way to get this to work so everyone
is happy. He said he'll have time tomorrow to add the fix, and he'll mark it
stable for us at the same time. He's just going to add a little wrapper script
into /usr/bin/ so that it will do the cd and everything for the user, so it'll
"Just Work" (TM) :) There are still some problems with it, but this will
atleast make it a little better, imho.
(In reply to comment #11)
> I just talked to Stuart and we worked out a way to get this to work so everyone
> is happy. He said he'll have time tomorrow to add the fix, and he'll mark it
> stable for us at the same time.
stuart, any news on this ?
Sorry for the delay; I've been a bit unwell this week.
popfile-0.22.4 is now in the tree and (with Mark's permission) has been marked
stable on x86.
Best regards,
Stu
- removing x86 from CC
- calling a vote for GLSA
Why no GLSA? The affected version of the package was stable ...
Best regards,
Stu
Not all vulnerable stable packages automatically force a GLSA. The
vulnerability treatment policy
(http://www.gentoo.org/security/en/vulnerability-policy.xml) says that there
should be a vote for certain ratings (one of them is B3, like this one).
If you want a GLSA, you may comment this here and we might take you opinion
into account (but don't have to).
Closing without GLSA, feel free to reopen if you disagree.
