In util.c
Ferdy please provide an updated ebuild.
nbsmtp-1.00 (which fixes the problem) added with keywords: alpha ~amd64 ~hppa ~ppc ~sparc x86 Cheers, Ferdy
Arches please test and mark stable.
ppc stable
sparc stable.
On further investigation, I am not sure this is a vulnerability at all. This is an SMTP client, not a daemon, so the attack is local and may be used to elevate privileges to... yourself ?
mmmm nope. A malicious server 'might' inject code; I had a: syslog(something,string_from_server); where I should have: syslog(something,"%s",string_from_server); HTH Cheers, Ferdy
Thanks for the details. Rerating B2. I'll ask for a CAN number to MITRE.
This is still missing the hppa keyword.
Stable on hppa
Ready for GLSA, waiting a little for the CAN number to be attributed.
Enough waiting, we'll add the CAN afterwards when it is attributed.
GLSA 200508-03