Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 26780

Summary: net-mail/qmail-autoresponder
Product: Gentoo Linux Reporter: Daniel Ahlberg (RETIRED) <aliz>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: net-mail+disabled, rajiv
Priority: Highest    
Version: 1.0   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-17 00:42:40 UTC
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 373-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
August 16th, 2003                       http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : autorespond 
Vulnerability  : buffer overflow 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2003-0654 
 
Christian Jaeger discovered a buffer overflow in autorespond, an email 
autoresponder used with qmail.  This vulnerability could potentially 
be exploited by a remote attacker to gain the privileges of a user who 
has configured qmail to forward messages to autorespond.  This 
vulnerability is currently not believed to be exploitable due to 
incidental limits on the length of the problematic input, but there 
may be situations in which these limits do not apply.
Comment 1 solar (RETIRED) gentoo-dev 2003-09-22 01:03:21 UTC
http://www.debian.org/security/2003/dsa-373

net-mail/qmail-autoresponder-0.96.1 is currently whats in portage.
The CVE contained no version info so tracking this down (whats vuln and whats not) is a little pain in the rear. 

Best I can tell is the version we have in portage is really old. (Is there a reason for this?) 

http://www.debian.org/security/2003/dsa-373 has patches for 2.02 of the autoresponder.
Comment 2 solar (RETIRED) gentoo-dev 2003-09-24 11:32:04 UTC
ok as we cant seem to get a responce from anybody from net-mail on this. I'm going to have to package.mask everything below <2.02
Comment 3 solar (RETIRED) gentoo-dev 2003-09-24 11:35:36 UTC
now maked in package.mask revision 1.2421
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-09-25 00:43:05 UTC
i did a little research and found that autorespond != qmail-autoresponder

qmail-autoresponder is at http://untroubled.org/qmail-autoresponder/

autorespond is at <http://www.netmeridian.com/e-huss/autorespond.tar.gz> and was
modified by debian. their modified source is linked to from the original advisory at
<http://lists.debian.org/debian-security-announce/debian-security-announce-2003/
msg00175.html>

removed qmail-autoresponder from package.mask rev 1.2422


fyi we do not have, and do not need an ebuild for autorespond. i believe that
qmail-autoresponder is more robust and better maintained.


Comment 5 solar (RETIRED) gentoo-dev 2003-09-26 01:22:18 UTC
thanks rajiv