Bug 135005 - mail-mta/courier DoS issue (CVE-2006-2659)
Bug#: 135005 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://www.courier-mta.org/beta/patches/verp-fix/
Summary: mail-mta/courier DoS issue (CVE-2006-2659)
Keywords:  
Status Whiteboard: B3 [glsa] jaervosz
Opened: 2006-05-31 02:13 0000
Description:   Opened: 2006-05-31 02:13 0000 
2006-05-23  Mr. Sam  <mrsam@courier-mta.com>

        * courier/libs/comverp.c (verp_encode): Fix bug in encoding of
        usernames that contain '='.

------- Comment #1 From Marcin Semeniuk 2006-06-04 22:13:50 0000 ------- 
bug 134262 is the same bug.

------- Comment #2 From Raphael Marichez 2006-06-08 05:03:31 0000 ------- 
This bug sould be merged with bug 134262 and bug 134262 sould be assigned to
security team, so that the security process could be completed, including the
final GLSA vote.

------- Comment #3 From Raphael Marichez 2006-06-08 05:05:47 0000 ------- 
it is   CVE-2006-2659

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-06-08 05:10:22 0000 ------- 
*** Bug 134262 has been marked as a duplicate of this bug. ***

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-06-08 05:12:46 0000 ------- 
swtaylor please advise and patch as necessary.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-06-30 08:55:42 0000 ------- 
Perhaps someone from net-mail will help on this one?

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-07-05 23:26:58 0000 ------- 
Vapier/Solar/Taviso no response from mail to swtayloer, will you try a bump?

------- Comment #8 From Luca Longinotti 2006-07-10 17:26:44 0000 ------- 
mail-mta/courier-0.53.2 is in the tree now, which fixes the security issue and
a few other bugs, thanks to Marcin Semeniuk (a user) that provided updated
ebuilds in another bug. I want to stress that I only did the version bump for
security, I won't maintain mail-mta/courier myself as I don't use it anywhere.
Best regards, CHTEKK.

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-07-11 00:51:42 0000 ------- 
Thx Luca.

Arches please test and mark stable.

------- Comment #10 From Joshua Jackson 2006-07-11 21:39:16 0000 ------- 
forgetting you have courier working locally = doh!

x86 done, as it all worked for me in that reguards. I'm going to take a nap
now.

Z_Z

------- Comment #11 From Jason Wever (RETIRED) 2006-07-12 15:39:05 0000 ------- 
courier dies if "test" is in FEATURES because something it does via make check
spits out;

Making check in imap
make[1]: Entering directory
`/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make  check-am
make[2]: Entering directory
`/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
=============================
Do not run make check as root
=============================
make[2]: *** [check-am] Error 1
make[2]: Leaving directory
`/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make[1]: *** [check] Error 2
make[1]: Leaving directory
`/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make: *** [check-recursive] Error 1

!!! ERROR: mail-mta/courier-0.53.2 failed.
Call stack:
  ebuild.sh, line 1539:   Called dyn_test
  ebuild.sh, line 987:   Called src_test
  ebuild.sh, line 618:   Called die

Will continue testing, but should be disabled.

------- Comment #12 From Jason Wever (RETIRED) 2006-07-12 17:15:46 0000 ------- 
Created an attachment (id=91607) [details]
Updated mailer.conf for mailwrapper support

At the request of langthang, I re-built courier with FEATURES="userpriv test"
and the tests run fine.

On another note, the mailer.conf file for USE="mailwrapper" support provided in
${FILESDIR} is broken.  The path to sendmail.courier has changed from /usr/sbin
to /usr/bin.  Attached is an updated version of it with the right pathings.

------- Comment #13 From Luca Longinotti 2006-07-14 10:09:06 0000 ------- 
mailer.conf was updated as per attachment and the ebuild had a src_test added
that will only execute the tests if FEATURES="userpriv" is present, else it
will warn the user about the need of it to make check.
Best regards, CHTEKK.

------- Comment #14 From Jason Wever (RETIRED) 2006-07-16 14:06:15 0000 ------- 
SPARC sexy

------- Comment #15 From Jason Wever (RETIRED) 2006-07-16 15:14:31 0000 ------- 
This time I'll even remove SPARC from the CC! :)

Your hourly bug spam brought to you by jforman's goats.

------- Comment #16 From Jakub Moc (RETIRED) 2006-07-18 02:12:38 0000 ------- 
Could someone investigate the missing patch that should (?) get applied w/
USE="-fam"? (Bug 140883) AFAICS that patch just never existed.

------- Comment #17 From Tuan Van (RETIRED) 2006-07-18 09:15:25 0000 ------- 
(In reply to comment #16)
> Could someone investigate the missing patch that should (?) get applied w/
> USE="-fam"? (Bug 140883) AFAICS that patch just never existed.
> 

it looks like swtaylor bumped courier-0.48.2.20050130.ebuild to fix bug #69630
but forgot to commit fam-disable-check.patch.
http://sources.gentoo.org/viewcvs.py/gentoo-x86/mail-mta/courier/courier-0.48.2.20050130.ebuild?hideattic=0&rev=1.3&view=markup
one can port that patch from courier-imap but as far as security concern this
isn't a regression.

BTW, tsunam mark 52.2 x86 instead of 53.2. re-add x86.

------- Comment #18 From Tuan Van (RETIRED) 2006-07-18 09:40:44 0000 ------- 
(In reply to comment #17)
> as far as security concern this
> isn't a regression.

I take it back. The last known stable ebuild doesn't have that fam stuff in
there.  Guess we have to yank fam related stuff out and do a revision bump
later with fam goodness.

------- Comment #19 From Tuan Van (RETIRED) 2006-07-18 14:51:03 0000 ------- 
bug 140883 is fixed. please back to your regular schedule. Sorry for the
interruption.

------- Comment #20 From Joshua Jackson 2006-07-20 00:02:06 0000 ------- 
perhaps its the right version this time.

------- Comment #21 From Tobias Scherbaum 2006-07-22 02:03:37 0000 ------- 
Already ppc stable.

------- Comment #22 From Thomas Cort (RETIRED) 2006-07-22 08:40:10 0000 ------- 
alpha stable.

------- Comment #23 From René Nussbaumer 2006-07-29 02:01:38 0000 ------- 
forgot to remove us.

------- Comment #24 From Simon Stelling (RETIRED) 2006-07-31 01:33:29 0000 ------- 
amd64 done, sorry for the delay.

------- Comment #25 From Sune Kloppenborg Jeppesen 2006-07-31 02:48:06 0000 ------- 
I tend to vote YES.

------- Comment #26 From Thierry Carrez (RETIRED) 2006-07-31 13:43:50 0000 ------- 
usernames containing '=' ?? Voting no.

------- Comment #27 From Matthias Geerdsen 2006-07-31 14:42:16 0000 ------- 
recipients with = seem pretty uncommon... nevertheless i tend to vote yes on
this one (a really small yes though)

------- Comment #28 From Wolf Giesen (RETIRED) 2006-07-31 22:07:43 0000 ------- 
I'd say it would depend on whether usernames would have to be *valid*. If NOT,
I'd vote YES. But I couldn't find info that anywhere.

Can somebody who actually worked on the code tell?

------- Comment #29 From Sune Kloppenborg Jeppesen 2006-08-01 00:45:22 0000 ------- 
Mail gateways or mailing list servers usually don't have any chance of
validating the username.

------- Comment #30 From Raphael Marichez 2006-08-01 10:32:08 0000 ------- 
i vote no; username with "=" is rather uncommon, isn't it ?

------- Comment #31 From Wolf Giesen (RETIRED) 2006-08-02 00:07:50 0000 ------- 
Sune is right IMHO (#29), and I vote "yes", too, because of that.

------- Comment #32 From Thierry Carrez (RETIRED) 2006-08-02 06:22:19 0000 ------- 
Reverting to yes.

------- Comment #33 From Sune Kloppenborg Jeppesen 2006-08-03 22:05:30 0000 ------- 
ia64 don't forget to mark stable to benifit from the GLSA.

GLSA 200608-06