Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47918 - net-mail/ssmtp : Format String Vulnerabilities
Summary: net-mail/ssmtp : Format String Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/11378/
Whiteboard:
Keywords:
Depends on: 48435
Blocks:
  Show dependency tree
 
Reported: 2004-04-15 05:40 UTC by schaedpq
Modified: 2004-04-27 03:10 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description schaedpq 2004-04-15 05:40:58 UTC
Two vulnerabilities in ssmtp were discovered, which allow compromising a vulnerable system, resulting in server crash or execution of arbitrary code. Rated by Secunia in their advisory as "highly critical", "system access from remote".


Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.




The advisory Secunia issued today can be found here:
http://secunia.com/advisories/11378/

CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0156

The vulnerabilities are caused by 2 format string errors in the functions die()
and log_event().

Secunia says, one should use a different product until the bugs have been fixed,
there seem to exist no workaround or patched version until now.
Comment 1 schaedpq 2004-04-15 07:32:26 UTC
I just received the Debian advisory about this issue:
http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00084.html
http://www.debian.org/security/2004/dsa-485

They seem to have fixed the problems in 2.50.6.1 (stable, woody), http://security.debian.org/pool/updates/main/s/ssmtp/ssmtp_2.50.6.1.tar.gz
The changelog says:

ssmtp (2.50.6.1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Fix two format string vulnerabilities (die() and log_event())
    discovered by Max Vozeler <max@hinterhof.net> (CAN-2004-0156)

 -- Matt Zimmerman <mdz@debian.org>  Mon, 12 Apr 2004 09:21:54 -0700

The advisory states the update for 2.60.6 (debian unstable, sid) will come soon (I expect 2.60.6.1). The newest in portage is 2.60.4, the current stable on 2.48
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-15 07:58:18 UTC
Waiting for upstream 2.60.6.1.
Please note that exploit need that you forward mail to an untrusted server.
Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-15 11:45:19 UTC
I can take this one if nobody else wants it.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-19 02:06:50 UTC
2.60.7 is available upstream :
http://packages.qa.debian.org/s/ssmtp.html

net-mail people, can we have a bump to this one ?

CondorDes: this one is all yours :)

Thanks in advance,
-K
Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-19 11:47:21 UTC
There was an email on Bugtraq today about an insecure file creation: http://www.securityfocus.com/archive/1/360626/2004-04-16/2004-04-22/0

Having reviewed the source, it looks like 2.60.7 is vulnerable to this.  Should we wait to bump?
Comment 6 solar (RETIRED) gentoo-dev 2004-04-22 14:38:27 UTC
This is a fairly serious flaw.

security@g.o should not have to wait any longer.. If patches are ready
and net-mail@g.o is taking to long (>=48 hrs) and a CAN-XXXX-XXX exists
then we should add the patches in without having to wait on them.
Comment 7 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-22 15:31:49 UTC
This really should be a P1/blocker, not a P2/major, since it has the potential of being a remote-root.

net-mail -- Please wake up.  I don't want to step on your turf, but if I don't hear from you on this in 6 hours or so, we're going to start looking into pushing this one ourselves.

solar -- I think we're also waiting on a fix for bug 48435.  However, someone should check to see if that actually affects us.
Comment 8 solar (RETIRED) gentoo-dev 2004-04-22 23:52:46 UTC
Bug 48435 does not affects us or seemly anybody for that matter.  That
support is just flat out broke. I'll still put a patch together however
to fix it, probably default the LOGFILE to /dev/stdout unless one is
passed in the form of CFLAGS="-DLOGFILE_FILENAME=blah" when I bump this
pkg.
Comment 9 solar (RETIRED) gentoo-dev 2004-04-23 00:08:49 UTC
In portage as ssmtp-2.60.7.ebuild please test.
KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~mips ~amd64 ~ia64 ~ppc64 ~s390"
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-04-23 05:57:39 UTC
Stable on alpha.
Comment 11 Luca Barbato gentoo-dev 2004-04-23 20:06:58 UTC
Stable on ppc
Comment 12 Jason Wever (RETIRED) gentoo-dev 2004-04-24 07:13:09 UTC
Stable on sparc.
Comment 13 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-24 12:18:24 UTC
Draft GLSA submitted with temporary id c31342a3b17660a2a671ba94782fe1fe.

security@ -- reviews please?  Thanks.
Comment 14 Joshua Kinard gentoo-dev 2004-04-25 01:53:43 UTC
Marked stable on mips.
Comment 15 solar (RETIRED) gentoo-dev 2004-04-25 14:00:12 UTC
Current keywords..
KEYWORDS="~x86 ppc sparc alpha ~hppa mips amd64 ~ia64 ~ppc64 ~s390"

Removing arch-maintainers and adding specific arches.

Remaining arch maintainers please test and mark stable so 
we can get this one out the door. -thanks
Comment 16 Brandon Hale (RETIRED) gentoo-dev 2004-04-25 15:14:41 UTC
Stable on x86.
Comment 17 Michael McCabe (RETIRED) gentoo-dev 2004-04-25 18:03:40 UTC
Marked stable on s390
Comment 18 Aron Griffis (RETIRED) gentoo-dev 2004-04-25 18:23:58 UTC
stable on alpha and ia64
Comment 19 Tom Gall (RETIRED) gentoo-dev 2004-04-25 19:20:27 UTC
stable on ppc64
Comment 20 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-26 13:03:45 UTC
This is ready for a GLSA.  We have one drafted ... klieber and Koon reviewed it, but it got changed after klieber reviewed it, so one more person needs to look at it.
Comment 21 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-26 15:56:02 UTC
GLSA 200404-18.
Comment 22 Guy Martin (RETIRED) gentoo-dev 2004-04-27 03:10:43 UTC
Stable on hppa thanks vapier.