223157 – mail-filter/spamdyke <3.1.8 spamdyke "smtp_filter()" DATA Command Relay Vulnerability (CVE-2008-2784)

Bug 223157 - mail-filter/spamdyke <3.1.8 spamdyke "smtp_filter()" DATA Command Relay Vulnerability (CVE-2008-2784)

Summary: mail-filter/spamdyke <3.1.8 spamdyke "smtp_filter()" DATA Command Relay Vulne...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/30408/
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-05-22 03:43 UTC by toto
Modified:	2008-06-19 23:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description toto 2008-05-22 03:43:50 UTC

VERSION 3.1.8 -- 5/21/2008
  Fixed smtp_filter() to reject the DATA command if no valid recipients have
    been specified.  Otherwise, a specific scenario could result in every
    spamdyke installation being used as an open relay.  If the remote server
    connects and gives one or more recipients that are rejected (for relaying or
    blacklisting), then gives the DATA command, spamdyke will ignore all other
    commands, assuming that message data is being transmitted.  However, because
    all of the recipients were rejected, qmail will reject the DATA command.
    From that point on, the remote server can give as many recipients as it
    likes and spamdyke will ignore them all -- they will not be filtered at all.
    After that, the remote server can give the DATA command and send the actual
    message data.  Because spamdyke is controlling relaying, the RELAYCLIENT
    environment variable is set and qmail won't check for relaying either.
    Thanks to Mirko Buffoni for reporting this one.
  Fixed compiling with gcc 3.4.6 (on old Gentoo installations), which requires
    a "-Wp,-Wno-trampolines" flag to suppress a warning about trampoline
    functions.  Thanks to Thorsten Puzich for reporting and helping me fix this
    one.
  Fixed compiling on CentOS 3.8, which installs the krb5.h in
    /usr/kerberos/include instead of /usr/include.  Thanks to Bruce Schreiber
    for reporting this one.
  Changed middleman() to reset the idle timeout timer while waiting for qmail's
    responses.  It's not fair to disconnect a remote server because qmail is
    running slow.  The connection timeout timer is always enforced, however.
  Fixed a bug in middleman() to reset the idle timeout timer every time data is
    read from the remote server.  Previously, the timer was only reset when data
    was read and the buffer was empty.  This was causing large messages from
    fast remote servers to timeout during delivery.  Thanks to Eric Shubert for
    reporting and helping me fix this one.


thx =]

Reproducible: Always

Comment 1 Tupone Alfredo gentoo-dev

2008-05-23 07:47:53 UTC

Version bumped, now in portage. Thanks.

Comment 2 toto 2008-05-24 13:08:30 UTC

Hi Tupone,
Can you always put x86 keyword for this packages, I alredy write bug #222829 about it =]
Thx.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-06-08 23:15:59 UTC

Secunia writes:

A vulnerability has been reported in spamdyke, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to "smtp_filter()" not properly restricting the DATA command if no valid recipient was specified. This can be exploited to e.g. abuse a spamdyke installation as open mail relay by sending a certain sequence of recipient data and DATA commands.

The vulnerability is reported in versions prior to 3.1.8.

Solution:
Update to version 3.1.8.

Provided and/or discovered by:
The vendor credits Mirko Buffoni.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-06-08 23:17:04 UTC

Right now this ebuild is already bumped, but we have a keyword regression.

x86 team, please ~x86:
=mail-filter/spamdyke-3.1.8

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-09 09:11:38 UTC

24 May 2008; Tupone Alfredo <tupone@gentoo.org> spamdyke-3.1.8.ebuild:
  Adding again ~x86

Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-09 12:56:08 UTC

closing without GLSA, since it is not marked stable for any arch