Bug 178986 - app-arch/zoo Denial of Service Vulnerability (CVE-2007-1669)
Bug#: 178986 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: lars@chaotika.org
Component: Vulnerabilities
URL:  http://www.securityfocus.com/archive/1/archive/1/467646/100/0/
Summary: app-arch/zoo Denial of Service Vulnerability (CVE-2007-1669)
Keywords:  
Status Whiteboard: B3 [noglsa] jaervosz
Opened: 2007-05-18 11:20 0000
Description:   Opened: 2007-05-18 11:20 0000 
A vulnerability has been reported in Amavis, which can potentially be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to Amavis potentially invoking an insecure
version of zoo or unzoo. This can be exploited to cause an infinite loop
resulting in high CPU utilisation.

Solution:
The vendor recommends disabling the use of zoo or unzoo, or using a patched
version of zoo.

Provided and/or discovered by:
The vendor credits Jean-Sebastien Guay-Leroux.

Original Advisory:
http://www.amavis.org/security/asa-2007-2.txt

Reproducible: Always

------- Comment #1 From Lars Hartmann 2007-05-18 11:36:51 0000 ------- 
maintainers - please advice

------- Comment #2 From Andrej Kacian (RETIRED) 2007-05-18 19:14:27 0000 ------- 
I suggest patching app-arch/zoo with patch found in section VII here:
<http://www.securityfocus.com/archive/1/archive/1/467646/100/0/threaded>. We
can then make amavisd-new depend on patched version of zoo, after stabilizing
it for arches.

This would be more bearable than to wait for amavisd-new-2.5.1 and then
stabilize it - 2.5.x brings some new stuff and config file changes which are
not yet so well tested as 2.4.x.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-05-19 06:52:43 0000 ------- 
Not an amavisd-new issue. Unfortunately zoo is without a maintainer. Ticho,
could you patch it?

------- Comment #4 From Icebird2000 2007-05-22 09:51:38 0000 ------- 
Created an attachment (id=119979) [details]
Patchfile

this is the patch as diff-file

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-05-22 15:06:32 0000 ------- 
Ticho ping.

------- Comment #6 From Lars Hartmann 2007-05-23 21:51:54 0000 ------- 
Created an attachment (id=120137) [details]
modified patch

i modified the patch to let it patch cleanly.

------- Comment #7 From Lars Hartmann 2007-05-23 21:52:49 0000 ------- 
Created an attachment (id=120138) [details]
ebuild

an ebuild which uses my modified patch

------- Comment #8 From Lars Hartmann 2007-05-23 21:56:57 0000 ------- 
Created an attachment (id=120139) [details]
fixed patch

now the finaly one (uploaded the wrong one first) - sorry for that

------- Comment #9 From Andrej Kacian (RETIRED) 2007-05-23 22:32:33 0000 ------- 
Sorry guys. I was, uhh... distracted, from all technology for past few days.

zoo-2.10-r3 is in the tree now.

------- Comment #10 From Stefan Cornelius (RETIRED) 2007-05-23 23:00:53 0000 ------- 
arches, please test and stable zoo-2.10-r3. thanks

------- Comment #11 From Christian Faulhammer 2007-05-24 06:37:19 0000 ------- 
x86/amd64 stable

------- Comment #12 From Gustavo Zacarias (RETIRED) 2007-05-24 12:57:35 0000 ------- 
sparc stable.

------- Comment #13 From Markus Rothe 2007-05-24 15:31:26 0000 ------- 
ppc64 stable

------- Comment #14 From Raúl Porcel 2007-05-25 11:06:03 0000 ------- 
alpha stable

------- Comment #15 From Tobias Scherbaum 2007-05-25 17:51:46 0000 ------- 
ppc stable

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-05-25 17:55:57 0000 ------- 
This one is ready for GLSA decision. I tend to vote YES.

------- Comment #17 From Pierre-Yves Rofes 2007-05-31 09:27:58 0000 ------- 
I tend to vote NO.

------- Comment #18 From Raphael Marichez 2007-06-01 15:14:30 0000 ------- 
no and closing, feel free to reopen if you disagree