Bug 310049 (CVE-2010-1132)

Summary:

<mail-filter/spamass-milter-0.3.1-r4: Remote Root Attack (CVE-2010-1132)

Product:

Gentoo Security

Reporter:

Andreis Vinogradovs ( slepnoga ) <andreis.vinogradovs>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

net-mail+disabled

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://isc.sans.org/diary.html?storyid=8434

Whiteboard:

B1 [noglsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
spamass-milter-0.3.1-r3.ebuild diff	none
patch from http://savannah.nongnu.org/bugs/index.php?29136	none

Description Andreis Vinogradovs ( slepnoga ) 2010-03-18 11:29:44 UTC

SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability
Upstream relized patch http://savannah.nongnu.org/bugs/index.php?29136

Comment 1 Andrey Korolyov 2010-03-18 14:49:54 UTC

Created attachment 224125 [details, diff]
spamass-milter-0.3.1-r3.ebuild diff

Comment 2 Andrey Korolyov 2010-03-18 14:50:54 UTC

Created attachment 224127 [details, diff]
patch from http://savannah.nongnu.org/bugs/index.php?29136

Comment 3 Alex Legler (RETIRED) archtester

2010-03-31 16:02:08 UTC

net-mail: Please prepare an updated ebuild.

Comment 4 Alex Legler (RETIRED) archtester

2010-03-31 19:46:56 UTC

CVE-2010-1132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1132):
  The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin
  Milter Plugin 0.3.1, when using the expand option, allows remote
  attackers to execute arbitrary system commands via shell
  metacharacters in the RCPT TO field of an email message.

Comment 5 Eray Aslan gentoo-dev

2011-06-08 12:25:47 UTC

+*spamass-milter-0.3.1-r4 (08 Jun 2011)
+
+  08 Jun 2011; Eray Aslan <eras@gentoo.org> +spamass-milter-0.3.1-r4.ebuild,
+  +files/spamass-milter-auth_users.patch, +files/spamass-milter-header.patch,
+  +files/spamass-milter-popen.patch:
+  Security bump - bug #310049. Don't spam check authenticated users - bug
+  #265621. Fix received headers - bug #264304
+

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-06-08 14:47:38 UTC

Great, thanks, Eray.

Arches, please test and mark stable:
=mail-filter/spamass-milter-0.3.1-r4
Target keywords : "sparc x86"

Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-06-09 10:25:33 UTC

x86 stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2011-06-12 11:48:32 UTC

sparc keyword dropped

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-06-12 18:27:18 UTC

Thanks, everyone. GLSA request filed.

Comment 10 Blu3 2011-07-06 17:36:17 UTC

please update the popen patch to fix the waitpid issue.  current patch with -x quickly causes many thousands of zombies.

ref: comment #10 at http://savannah.nongnu.org/bugs/index.php?29136

Comment 11 Blu3 2011-07-06 18:31:51 UTC

for those who wish to edit the patch in place rather than remake a new one or wait for an updated ebuild, append "pid" to the following line numbers as shown:

#35   char *popen_argv[3]; pid_t pid;
#64   p = popenv(popen_argv, "w", &pid);
#74   fclose(p); p = NULL; waitpid(pid, NULL, 0);
#102  char *popen_argv[4]; pid_t pid;
#122  p = popenv(popen_argv, "r", &pid);
#135  fclose(p); p = NULL; waitpid(pid, NULL, 0);
#157  FILE *popenv(char *const argv[], const char *type, pid_t *pid)
#169  switch (*pid = fork())
#231  FILE *popenv(char *const argv[], const char *type, pid_t *pid);

rebuild your digest,

ebuild spamass-milter-0.3.1-r4.ebuild digest

emerge the package again

Comment 12 Eray Aslan gentoo-dev

2011-07-09 12:08:29 UTC

(In reply to comment #10)
> please update the popen patch to fix the waitpid issue.

Fixed in spamass-milter-0.3.1-r5.  Please open a seperate bug next time.

Comment 13 Andreis Vinogradovs ( slepnoga ) 2013-01-06 17:27:49 UTC

Any changes her ?

Comment 14 Mikle Kolyada (RETIRED) archtester

2014-04-03 12:02:37 UTC

Fixed 4 years ago. Really long time.