Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 480376 (CVE-2013-4223)

Summary: <mail-mta/nullmailer-1.11-r2 : world readable /etc/nullmailer/remotes (CVE-2013-4223)
Product: Gentoo Security Reporter: redneb <redneb>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jlec, net-mail+disabled, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description redneb 2013-08-09 14:15:50 UTC 
The file /etc/nullmailer/remotes contains plaintext passwords to remote smtp severs. I think it would be a good idea to install it with more restrictive permissions. I tried with root:nullmail / 0640 and it seems that everything works without any issues. The ebuild for mail-mta/ssmtp does a similar thing for its equivalent file. Here's the relevant snippet from that ebuild:

	if ! use prefix; then
		fowners root:ssmtp /etc/ssmtp/ssmtp.conf
		fperms 640 /etc/ssmtp/ssmtp.conf
	fi
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-09 16:21:13 UTC 
This becomes a security bug from now, thanks for the report
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-08-09 16:45:41 UTC 
InCVS.

Arches, please stabilize nullmailer-1.11-r2.

Target keywords:
amd64 ppc x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-10 10:53:09 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-10 12:07:59 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-28 12:10:48 UTC 
x86 stable
Comment 6 Sergey Popov gentoo-dev 2013-09-04 05:49:09 UTC 
Thanks for your work

GLSA vote: no
Comment 7 Justin Lecher (RETIRED) gentoo-dev 2013-09-25 10:18:07 UTC 
+*nullmailer-1.13-r2 (25 Sep 2013)
+
+  25 Sep 2013; Justin Lecher <jlec@gentoo.org> -nullmailer-1.11.ebuild,
+  -nullmailer-1.11-r1.ebuild, nullmailer-1.11-r2.ebuild,
+  nullmailer-1.11-r3.ebuild, -nullmailer-1.13.ebuild,
+  -nullmailer-1.13-r1.ebuild, +nullmailer-1.13-r2.ebuild,
+  +files/init.d-nullmailer-r3:
+  Drop old vulnerable versions, #480376; respect AR, #480394; make paludis
+  happy, #462846 thanks Thomas Witt for the patch; fix broken openrc
+  initscript, #480354
+


Removed all versions in question.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 12:57:55 UTC 
GLSA vote: no. Closing noglsa.