Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358085 (CVE-2011-0411)

Summary: <mail-mta/postfix-2.7.3: SMTP commands injection during plaintext to TLS session switch (CVE-2011-0411)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaak, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.postfix.org/announcements/postfix-2.7.3.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-09 16:26:27 UTC
It was found, that Postfix, a Mail Transport Agent (MTA), recognized
SMTP commands during plaintex to TLS session switch (by TLS protocol
initialization). A remote attacker could use this flaw to insert
plaintext SMTP protocol commands into TLS protocol initialization
messages, leading to SMTP commands execution during the ciphertext
protocol phase, allowing the attacker to steal user credentials
and conduct man-in-the-middle (MITM) attacks.

http://www.postfix.org/announcements/postfix-2.7.3.html
Comment 1 Tim Harder gentoo-dev 2011-03-09 20:40:18 UTC
I'll bump 2.7.3 but I'd rather drop the 2.6.* series from the tree unless someone has a good reason not to.
Comment 2 Eray Aslan gentoo-dev 2011-03-10 03:27:07 UTC
Just get the non-vulnerable versions in the tree quickly and have them stabilized.  Currently, the stable version is vulnerable which is something we should try to avoid.

Go with whatever you are comfortable with regarding the number of past versions you want to keep.
Comment 3 Tim Harder gentoo-dev 2011-03-10 03:43:40 UTC
2.7.3 is now in CVS and 2.6.* have been removed from the tree.
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-10 07:59:52 UTC
Thank you. Arches, please test and stabilize =mail-mta/postfix-2.7.3
Comment 5 Agostino Sarubbo gentoo-dev 2011-03-10 10:02:09 UTC
x86/amd64 ok
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-10 18:50:03 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-03-10 19:58:26 UTC
amd64 done. Thanks Agostino
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2011-03-12 13:59:06 UTC
Stable on alpha.
Comment 9 Alex Buell 2011-03-12 19:27:42 UTC
Tested on SPARC, seems t0 work fine as long as you don't use gentoo-sources-2.6.37. Tested by sending emails between two accounts.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:31:17 UTC
x86 stable, thanks Agostino
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-13 11:27:57 UTC
ppc/ppc64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-03-18 18:10:03 UTC
arm/ia64/s390/sh/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 22:43:58 UTC
Thanks, folks. GLSA vote: yes.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-13 10:38:55 UTC
GLSA vote: YES. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:33:22 UTC
CVE-2011-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0411):
  The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before
  2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly
  restrict I/O buffering, which allows man-in-the-middle attackers to insert
  commands into encrypted SMTP sessions by sending a cleartext command that is
  processed after TLS is in place, related to a "plaintext command injection"
  attack.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:15:34 UTC
Vote: YES. Added to pending GLSA request.
Comment 17 Jaak Ristioja 2012-05-23 07:13:58 UTC
<mail-mta/postfix-2.7.3 no longer in tree.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:11:24 UTC
This issue was resolved and addressed in
 GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml
by GLSA coordinator Stefan Behte (craig).