|Summary:||net-mail/metamail format string bugs and buffer overflows|
|Product:||Gentoo Security||Reporter:||Carsten Lohrke (RETIRED) <carlo>|
|Component:||GLSA Errors||Assignee:||Gentoo Security <security>|
|Severity:||blocker||CC:||christof.schulze, net-mail+disabled, ppc, seemant, sgtphou|
|Package list:||Runtime testing required:||---|
|Attachments:||ebuild using new debian patch|
Description Carsten Lohrke (RETIRED) 2004-02-19 03:55:05 UTC
PROGRAM: metamail VENDOR: Bell Communications Research, Inc. (Bellcore) DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/ http://ftp.funet.fi/pub/unix/mail/metamail/ VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others IMMUNE VERSIONS: 2.7 with my patch applied REFERENCES: CAN-2004-0104 (format string bugs) CAN-2004-0105 (buffer overflows) http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html
Comment 1 Kurt Lieber (RETIRED) 2004-03-30 00:24:15 UTC
net-mail herd -- need a confirm/action on this.
Comment 2 Kurt Lieber (RETIRED) 2004-04-08 01:47:23 UTC
Comment 3 Thierry Carrez (RETIRED) 2004-04-13 04:59:29 UTC
Confirmed : format string and buffer overflows : http://www.kb.cert.org/vuls/id/518518 http://www.kb.cert.org/vuls/id/513062 Already published advisories include http://www.debian.org/security/2004/dsa-449 This package is not maintained upstream. We should either drop it or apply the latest Debian package patch : http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2.diff.gz net-mail folks ? -K
Comment 4 Carsten Lohrke (RETIRED) 2004-04-21 09:13:15 UTC
it's more than two months now - do you still read the forrester study? :)
Comment 5 Thierry Carrez (RETIRED) 2004-04-29 07:16:11 UTC
net-mail was recently reorganized, so hopefully someone can take the metamail package and bump the ebuild to the latest Debian patch (see comment above) ? Thanks in advance, -K
Comment 6 Kurt Lieber (RETIRED) 2004-05-11 08:30:44 UTC
masking this package for security reasons.
Comment 7 Christof Schulze 2004-05-11 11:02:54 UTC
geez Hardmasking this packages leaves me with a broken portage: it constantly complains about not having metamail ready since sylpheed-claws has a dep on it. I don't want insecure software in portage either and don't have a solution for this as for now, but something like that should not happen! I'll try to grab the source directly which I did for the last metamail-version I have on my system too because the genpatches just did not work.
Comment 8 Kurt Lieber (RETIRED) 2004-05-11 11:11:25 UTC
You're welcome to submit an updated ebuild. Otherwise, you can also unmask the package as described in the /usr/portage/profiles/package.mask file.
Comment 9 Seemant Kulleen (RETIRED) 2004-05-11 11:16:25 UTC
I'm on this, give me a few minutes
Comment 10 Jason Short 2004-05-11 11:57:56 UTC
Created attachment 31204 [details] ebuild using new debian patch
Comment 11 Seemant Kulleen (RETIRED) 2004-05-11 12:08:34 UTC
Jason, thanks for the ebuild -- I'd already had one in the works with a different patch and a different tweak in it. Anyway, people, 22.214.171.124 is in portage -- Arch maintainers, please test and stabilise.
Comment 12 Kurt Lieber (RETIRED) 2004-05-11 12:10:21 UTC
arches -- please test/mark stable.
Comment 13 Bryan Østergaard (RETIRED) 2004-05-11 15:55:46 UTC
Stable on alpha.
Comment 14 Jason Wever (RETIRED) 2004-05-11 17:21:58 UTC
Are the automake and autoconf errors that show up right after the patch expected? * Applying metamail_2.7-45.3.diff... [ ok ] ls: ./acinclude.m4: No such file or directory automake: Makefile.am: required file `./NEWS' not found automake: Makefile.am: required file `./AUTHORS' not found automake: Makefile.am: required file `./ChangeLog' not found FATAL ERROR: Autoconf version 2.50 or higher is required for this script FATAL ERROR: Autoconf version 2.50 or higher is required for this script >>> Source unpacked.
Comment 15 Jason Wever (RETIRED) 2004-05-11 20:35:35 UTC
Once seemant's patch-fu was added, it now works great and spits out no errors. Stable on sparc
Comment 16 Jonas Fährmann 2004-05-12 02:51:59 UTC
When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I
Comment 17 Jonas Fährmann 2004-05-12 02:51:59 UTC
When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I´m still n00b :-/
Comment 18 Jonas Fährmann 2004-05-12 04:54:05 UTC
I just found http://www.gentoo.org/doc/en/portage-manual.xml#doc_chap3_sect2 again, so now I should be able to apply the fixed ebuild.
Comment 19 Thierry Carrez (RETIRED) 2004-05-15 11:08:06 UTC
Target keywords = "x86 ppc alpha ia64 sparc s390 ~amd64 ~hppa" ppc, ia64, s390 : please mark stable
Comment 20 Michael McCabe (RETIRED) 2004-05-20 18:33:01 UTC
Stable on s390
Comment 21 Thierry Carrez (RETIRED) 2004-05-21 00:58:00 UTC
ppc, ia64 : please mark stable
Comment 22 Luca Barbato 2004-05-21 07:10:38 UTC
Comment 23 Thierry Carrez (RETIRED) 2004-05-21 12:44:04 UTC