Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 36886

Summary: Patch for MIME-tools
Product: Gentoo Security Reporter: Brett Simpson <simpsonb>
Component: VulnerabilitiesAssignee: Gentoo Perl team <perl>
Status: VERIFIED LATER    
Severity: critical CC: dfs, mcummings, perl, rac
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mimedefang.org
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 27861    
Attachments:
Description Flags
patch-roaring-pengiun
none
patch-roaring-pengiun none

Description Brett Simpson 2003-12-31 06:35:30 UTC
This patch will correct MIME security problems as referenced here http://www.securityfocus.com/archive/1/291514.
Comment 1 Brett Simpson 2003-12-31 06:37:45 UTC
Created attachment 22911 [details, diff]
patch-roaring-pengiun

--- /usr/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r2.ebuild       
2003-06-21 17:36:36.000000000 -0400
+++ /usr/local/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r4.ebuild 
2003-12-31 09:25:18.000000000 -0500
@@ -24,3 +24,10 @@
	dev-perl/HTML-Tagset
	dev-perl/HTML-Parser
	dev-perl/MailTools"
+
+	src_unpack() {
+	unpack ${A} || die
+	cd ${S}
+	epatch ${FILESDIR}/patch-roaring-pengiun
+	}
+
Comment 2 solar (RETIRED) gentoo-dev 2004-01-07 16:41:10 UTC
This is a dirty patch! I do not like it as is.
Reason: indentation seem to be changed for no good reason.

dev-perl team please review or keep us posted on when an upstream version is available.
Comment 3 Brett Simpson 2004-01-08 12:05:43 UTC
Created attachment 23406 [details, diff]
patch-roaring-pengiun

Sorry for submitting a dirty patch. I have cleaned it up, did an emerge test,
and tested it against MimeDefang.
Comment 4 solar (RETIRED) gentoo-dev 2004-01-08 12:53:11 UTC
Brett,
Thank you. 
I'll try to round up one of our perl devs and get them to comment/review/merege.
Comment 5 Robert Coie (RETIRED) gentoo-dev 2004-01-08 13:48:39 UTC
This is a pretty large patch, and I can't be certain that it won't cause problems
for other uses of MIME-tools.  From looking at the securityfocus link, it may
be the case that when MIME-tools is used for virus scanning purposes, some spliced
up virus might evade the scanner and affect other computers later, I don't see a
situation where the security of the Gentoo machine is affected in any way, so I
wouldn't consider this a gentoo security bug.  I would prefer to wait until these
patches are adopted upstream before applying them in Gentoo.
Comment 6 Robert Coie (RETIRED) gentoo-dev 2004-01-08 13:49:20 UTC
Marking LATER until decision made upstream.
Comment 7 Brett Simpson 2004-01-08 13:59:41 UTC
The security bug is when an malformed mime attachment that only outlook understandards is sent via an email. When Mimedefang or other programs try to look at the attachment with MIME-tools it comes back as malformed and passes it on. When Outlook opens the email it process's the attachment. Which in this case the attachment could be a virus.
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2004-01-08 14:06:39 UTC
Why hasn't this been reported on rt.cpan.org?
Comment 9 David F. Skoll 2004-01-08 18:13:55 UTC
I am the author of the patch.  It's designed to make MIME-tools cope more "sensibly" with common types of malformed messages, where "sensibly" means to behave in such a way as to offer maximum protection for programs that make the "obvious" interpretation of malformed MIME.

The patch does not break any of the MIME::tools regression tests, and in over a year of widespread use, I haven't heard of any problems from this patch.
Comment 10 David F. Skoll 2004-01-08 18:19:01 UTC
In response to Michael Cummings: "Why hasn't this been reported on rt.cpan.org?"

I e-mailed the patch directly to the MIME-tools author.  He did not apply it, nor did he even respond.  He applied very similar changes to MIME-tools-6alpha, but for some reason is not backporting the patch to the stable 5.411a release.
Comment 11 Michael Cummings (RETIRED) gentoo-dev 2005-07-18 03:17:53 UTC
(Cleaning up my resolve laters) - this patch went into the upstream version
after the release in question here