Bug 95492 - mail-filter/razor Denial of Service vulnerabilities.
|
Bug#:
95492
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Other
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: mail-filter/razor Denial of Service vulnerabilities.
|
|
Keywords:
|
|
Status Whiteboard: B3 [glsa] jaervosz
|
|
Opened: 2005-06-08 13:33 0000
|
Razor appears to be vulnerable to overly long Content-Type headers like
SpamAssassin (bug #94722).
Waiting for upstream fix.
2.71 is in.
Not sure this is widely public, so calling arch liaisons to test and mark stable.
x86->tester
amd64->blubb
ppc->hansmi
sparc->gustavoz
alpha->kloeri
Target KEYWORDS="x86 ppc sparc alpha amd64"
Adding lu_zero as I'm busy.
adding luckyduck as i'm currently busy
there is any standard way to test it?
Can't even merge it on amd64:
Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
Writing
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
Appending installation info to
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
/usr/bin/razor-client
make: /usr/bin/razor-client: Command not found
make: *** [install_razor_agents] Error 127
!!! ERROR: mail-filter/razor-2.71 failed.
!!! Function perl-module_src_install, Line 132, Exitcode 2
!!! (no error message)
!!! If you need support, post the topmost build error, NOT this status message.
*** Bug 96293 has been marked as a duplicate of this bug. ***
> Not sure this is widely public, so calling arch liaisons to test and mark stable.
Yep, not widely public.
(In reply to comment #6)
> Can't even merge it on amd64:
>
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
> Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
> Writing
>
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
> Appending installation info to
> /var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
> /usr/bin/razor-client
> make: /usr/bin/razor-client: Command not found
> make: *** [install_razor_agents] Error 127
>
> !!! ERROR: mail-filter/razor-2.71 failed.
> !!! Function perl-module_src_install, Line 132, Exitcode 2
> !!! (no error message)
> !!! If you need support, post the topmost build error, NOT this status message.
2.71 was released to address this issue in 2.70, but seems not to have fixed
every case. Can you provide the full build log especially including the line
'perl Makefile.PL ...'? In Makefile.PL we do
$(DESTDIR)$(INSTALLSCRIPT)/razor-client to build the symlinks, but this method
is likely to be changed soon seeing as how it's causing problems.
(In reply to comment #6)
> Can't even merge it on amd64:
>
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
> Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
> Writing
>
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
> Appending installation info to
> /var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
> /usr/bin/razor-client
> make: /usr/bin/razor-client: Command not found
> make: *** [install_razor_agents] Error 127
>
> !!! ERROR: mail-filter/razor-2.71 failed.
> !!! Function perl-module_src_install, Line 132, Exitcode 2
> !!! (no error message)
> !!! If you need support, post the topmost build error, NOT this status message.
2.71 was released to address this issue in 2.70, but seems not to have fixed
every case. Can you provide the full build log especially including the line
'perl Makefile.PL ...'? In Makefile.PL we do
$(DESTDIR)$(INSTALLSCRIPT)/razor-client to build the symlinks, but this method
is likely to be changed soon seeing as how it's causing problems.
Same issue on ppc.
A full log will follow shortly
(In reply to comment #14)
> Created an attachment (id=61345) [edit] [details]
> full emerge log
>
> I hope it helps
Almost :) It doesn't show the 'perl Makefile.PL' command, which is right at the
source of the bug. I'm trying to find some hardware here that I can build up
all the perl packages on to try this, but I think we're just going to release a
2.72 with this issue fixed for good.
Damn, sorry about that, this error only occurs if you didn't have razor
installed earlier (obviously), and I didn't unmerge then remerge when testing
because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
2.72 as soon as it's ready.
(In reply to comment #16)
> Damn, sorry about that, this error only occurs if you didn't have razor
> installed earlier (obviously), and I didn't unmerge then remerge when testing
> because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
> 2.72 as soon as it's ready.
No worries, thanks for passing along the information.
(In reply to comment #16)
> Damn, sorry about that, this error only occurs if you didn't have razor
> installed earlier (obviously), and I didn't unmerge then remerge when testing
> because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
> 2.72 as soon as it's ready.
2.72 is now released to sourceforge; we ripped out the symlinks and custom
Makefile stuff that's been causing problems for package maintainers everywhere.
No user-visible changes to this release; I'll keep watch on this bug to see how
it goes.
(In reply to comment #18)
> 2.72 is now released to sourceforge; we ripped out the symlinks and custom
> Makefile stuff that's been causing problems for package maintainers everywhere.
> No user-visible changes to this release; I'll keep watch on this bug to see how
> it goes.
I've added the new ebuild to CVS.
Back to arches stableization
Bug #96293 was in fact not a dupe but apparently contains another issue:
---
Vipul has released razor-agents 2.71 to address two critical issues in all
prior razor-agents. One of these issues addresses a bug in the discovery
logic, where a razor-agent that cannot reach the discover server may go into
an infinite loop until discover is available, slowly leaking memory and
eventually crashing the system.
---
I guess the other is the Content-Type bug similar to SA.
Cannot find any upstream reference to this issue and didn't realize that
Richard was a Razor dev (Sorry Richard). I'll draft the GLSA a few hours.
The security implications of the discovery bug seems questionable and the DoS
issue is rather limited, holding off GLSA for now.
[18:15:21] <taviso> $ time razor-check viagra.txt
[18:15:21] <taviso> real 0m1.331s
[18:15:27] <taviso> $ time razor-check viagra2.txt
[18:15:28] <taviso> real 0m13.325s
