Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 26780 - net-mail/qmail-autoresponder
Summary: net-mail/qmail-autoresponder
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-17 00:42 UTC by Daniel Ahlberg (RETIRED)
Modified: 2003-09-26 01:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-17 00:42:40 UTC 
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 373-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
August 16th, 2003                       http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : autorespond 
Vulnerability  : buffer overflow 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2003-0654 
 
Christian Jaeger discovered a buffer overflow in autorespond, an email 
autoresponder used with qmail.  This vulnerability could potentially 
be exploited by a remote attacker to gain the privileges of a user who 
has configured qmail to forward messages to autorespond.  This 
vulnerability is currently not believed to be exploitable due to 
incidental limits on the length of the problematic input, but there 
may be situations in which these limits do not apply.
Comment 1 solar (RETIRED) gentoo-dev 2003-09-22 01:03:21 UTC 
http://www.debian.org/security/2003/dsa-373

net-mail/qmail-autoresponder-0.96.1 is currently whats in portage.
The CVE contained no version info so tracking this down (whats vuln and whats not) is a little pain in the rear. 

Best I can tell is the version we have in portage is really old. (Is there a reason for this?) 

http://www.debian.org/security/2003/dsa-373 has patches for 2.02 of the autoresponder.
Comment 2 solar (RETIRED) gentoo-dev 2003-09-24 11:32:04 UTC 
ok as we cant seem to get a responce from anybody from net-mail on this. I'm going to have to package.mask everything below <2.02
Comment 3 solar (RETIRED) gentoo-dev 2003-09-24 11:35:36 UTC 
now maked in package.mask revision 1.2421
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-09-25 00:43:05 UTC 
i did a little research and found that autorespond != qmail-autoresponder

qmail-autoresponder is at http://untroubled.org/qmail-autoresponder/

autorespond is at <http://www.netmeridian.com/e-huss/autorespond.tar.gz> and was
modified by debian. their modified source is linked to from the original advisory at
<http://lists.debian.org/debian-security-announce/debian-security-announce-2003/
msg00175.html>

removed qmail-autoresponder from package.mask rev 1.2422


fyi we do not have, and do not need an ebuild for autorespond. i believe that
qmail-autoresponder is more robust and better maintained.
Comment 5 solar (RETIRED) gentoo-dev 2003-09-26 01:22:18 UTC 
thanks rajiv