167644 – mail-filter/dcc < 1.3.51 Unspecified Manipulation of Data (CVE-2007-1047)

Bug 167644 - mail-filter/dcc < 1.3.51 Unspecified Manipulation of Data (CVE-2007-1047)

Summary: mail-filter/dcc < 1.3.51 Unspecified Manipulation of Data (CVE-2007-1047)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/24176/
Whiteboard:	B4 [noglsa] Executioner
Keywords:

Duplicates (1):	171150 (view as bug list)
Depends on:
Blocks:

Reported:	2007-02-19 17:27 UTC by Executioner
Modified:	2007-04-23 15:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Executioner 2007-02-19 17:27:38 UTC

A vulnerability has been reported in DCC, which can potentially be exploited by malicious people to manipulate data.

The vulnerability is caused due to an unspecified error and can be exploited to delete or add hosts to "/var/dcc/maps".

Solution:
Update to version 1.3.51.

Reproducible: Didn't try




http://www.rhyolite.com/anti-spam/dcc/CHANGES
http://secunia.com/advisories/24176/

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2007-03-16 11:08:09 UTC

*** Bug 171150 has been marked as a duplicate of this bug. ***

Comment 2 Andrej Kacian (RETIRED) gentoo-dev

2007-03-25 17:09:21 UTC

I tried a trivial bump to latest dcc-1.3.55, but it installs a new binary - /usr/bin/dns-helper, which conflicts with the one installed by gnome-libs (I think). I'll have a closer look at this later today.

Comment 3 Andrej Kacian (RETIRED) gentoo-dev

2007-04-08 20:16:34 UTC

dcc-1.3.55 has just been added to the tree. Looks like other distros don't install the dns-helper binary, and dcc seems to work without it...

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-11 09:55:54 UTC

Thx Andrej.

Arches please test and mark stable. Target keywords are:

dcc-1.3.55.ebuild:KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86"

Changelog snippet from 1.3.51:

Close hole that allowed deleting or adding hosts in /var/dcc/maps.

Comment 5 Peter Weller (RETIRED) gentoo-dev

2007-04-11 13:00:07 UTC

amd64 done

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2007-04-11 14:10:13 UTC

ppc64 stable

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2007-04-11 15:33:43 UTC

sparc stable.
ppc64: you actually didn't stable anything (see the ChangeLog).

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2007-04-11 15:40:22 UTC

whoops.. thanks! good catch! ppc64 now really stable.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2007-04-11 19:46:14 UTC

ppc stable

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2007-04-12 08:37:03 UTC

Stable for HPPA.

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2007-04-12 10:27:04 UTC

x86 stable

Comment 12 Fernando J. Pereda (RETIRED) gentoo-dev

2007-04-13 15:13:28 UTC

Alpha done.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-13 15:59:12 UTC

This one is ready for GLSA vote. I vote NO.

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2007-04-23 15:31:15 UTC

voting no too

closing with two votes against a GLSA