Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 432002

Summary: <net-nntp/inn-2.5.3 - plaintext command injection during the negotiation of a TLS layer (CVE-2012-3523)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 432256    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2012-08-20 01:07:24 UTC
* Fixed a possible plaintext command injection during the negotiation of
    a TLS layer.  The vulnerability detailed in CVE-2011-0411 affects the
    STARTTLS and AUTHINFO SASL commands.  nnrpd now resets its read buffer
    upon a successful negotiation of a TLS layer.  It prevents malicious
    commands, sent unencrypted, from being executed in the new encrypted
    state of the session.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-20 01:43:16 UTC
Arch teams, please test and mark stable:
Stable KEYWORDS : amd64 ppc x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-22 13:29:26 UTC
amd64 stable
Comment 3 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2012-08-30 08:43:11 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-03 05:05:57 UTC
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-27 17:14:16 UTC
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-11-20 20:53:39 UTC
ppc done
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 21:10:27 UTC
CVE-2012-3523 (
  The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly
  restrict I/O buffering, which allows man-in-the-middle attackers to insert
  commands into encrypted sessions by sending a cleartext command that is
  processed after TLS is in place, related to a "plaintext command injection"
  attack, a similar issue to CVE-2011-0411.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-20 21:11:55 UTC
Thanks, everyone. 

GLSA vote: yes.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:56:32 UTC
Yes, created GLSA request.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2013-04-08 13:33:19 UTC
Nothing else to do for net-news here.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 20:49:30 UTC
This issue was resolved and addressed in
 GLSA 201401-24 at
by GLSA coordinator Chris Reffett (creffett).