Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 48435

Summary: net-mail/ssmtp insecure file creation
Product: Gentoo Linux Reporter: Dizzy <dizzy>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: blocker CC: condordes, net-mail+disabled
Priority: Highest Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 47918    

Description Dizzy 2004-04-19 23:42:26 UTC 
Hi

From bugtraq:
-------------------------------------------
Date: Sun, 18 Apr 2004 21:12 +0200
From: priestmaster@sms.at
To: bugtraq@securityfocus.com
Cc: vuldb@securityfocus.com
Subject: ssmtp insecure file creation

 Hi,

ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:

#ifdef LOGFILE
        if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
                (void)fprintf(fp, "%s\\n", buf);
                (void)fclose(fp);

I think, that all versions of ssmtp are vulnerable to this bug.

Have a nice day,

priest@priestmaster.org
http://www.priestmaster.org
--------------------------------------------------------

Now I checked source on default gentoo installed version (2.48) and seems to have the codes but I dont think they get compiled unless LOGFILE is defined (which I dont see it to be defined) also grep "ssmtp.log" in the installed ssmtp binary doesnt find any match. So gentoo doesnt seem to be vulnerable to this bug but I wanted a second oppinion here and probably others too are interested on this matter. 

Reproducible: Always
Steps to Reproduce:
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-04-20 03:02:28 UTC 
could someone from net-mail look/patch as appropriate?
Comment 2 solar (RETIRED) gentoo-dev 2004-04-23 00:07:16 UTC 
I also checked. Gentoo does not enable this nor could it 
even been enabled at all.

FILE *fp; /* was missing from the code. */

solar@simple ssmtp-2.60 $ ./configure --enable-logfile
....

solar@simple ssmtp-2.60 $ make
gcc -Wall  -DSTDC_HEADERS=1 -DHAVE_LIMITS_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LIBNSL=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETHOSTNAME=1 -DHAVE_SOCKET=1 -DHAVE_STRDUP=1 -DHAVE_STRSTR=1 -DLOGFILE=1 -DREWRITE_DOMAIN=1  -DSSMTPCONFDIR=\"/usr/local/etc/ssmtp\" -DCONFIGURATION_FILE=\"/usr/local/etc/ssmtp/ssmtp.conf\" -DREVALIASES_FILE=\"/usr/local/etc/ssmtp/revaliases\"     -c -o ssmtp.o ssmtp.c
ssmtp.c: In function `log_event':
ssmtp.c:109: error: `fp' undeclared (first use in this function)
ssmtp.c:109: error: (Each undeclared identifier is reported only once
ssmtp.c:109: error: for each function it appears in.)
make: *** [ssmtp.o] Error 1

This would of not worked in the first place..
None the less I fixed it and put it in portage as ssmtp-2.60.7.. 
if --enable-logfile is enabled now it will go to /dev/stdout
unless -DLOGFILE_FILENAME="/path/to/some/filename" is defined.
Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-24 12:18:12 UTC 
If the code in question doesn't even compile, I think it's safe to assume this isn't an issue we need to worry about.

I'm going to close this for now.  If anyone disagrees, by all means please reopen it.