Summary: | net-mail/ssmtp insecure file creation | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Dizzy <dizzy> |
Component: | New packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | blocker | CC: | condordes, net-mail+disabled |
Priority: | Highest | Keywords: | SECURITY |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 47918 |
Description
Dizzy
2004-04-19 23:42:26 UTC
could someone from net-mail look/patch as appropriate? I also checked. Gentoo does not enable this nor could it even been enabled at all. FILE *fp; /* was missing from the code. */ solar@simple ssmtp-2.60 $ ./configure --enable-logfile .... solar@simple ssmtp-2.60 $ make gcc -Wall -DSTDC_HEADERS=1 -DHAVE_LIMITS_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LIBNSL=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETHOSTNAME=1 -DHAVE_SOCKET=1 -DHAVE_STRDUP=1 -DHAVE_STRSTR=1 -DLOGFILE=1 -DREWRITE_DOMAIN=1 -DSSMTPCONFDIR=\"/usr/local/etc/ssmtp\" -DCONFIGURATION_FILE=\"/usr/local/etc/ssmtp/ssmtp.conf\" -DREVALIASES_FILE=\"/usr/local/etc/ssmtp/revaliases\" -c -o ssmtp.o ssmtp.c ssmtp.c: In function `log_event': ssmtp.c:109: error: `fp' undeclared (first use in this function) ssmtp.c:109: error: (Each undeclared identifier is reported only once ssmtp.c:109: error: for each function it appears in.) make: *** [ssmtp.o] Error 1 This would of not worked in the first place.. None the less I fixed it and put it in portage as ssmtp-2.60.7.. if --enable-logfile is enabled now it will go to /dev/stdout unless -DLOGFILE_FILENAME="/path/to/some/filename" is defined. If the code in question doesn't even compile, I think it's safe to assume this isn't an issue we need to worry about. I'm going to close this for now. If anyone disagrees, by all means please reopen it. |