Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 60844

Summary: net-mail/vpopmail < 5.4.6 buffer overflow & sql injection
Product: Gentoo Linux Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: net-mail
Priority: High    
Version: 1.4   
Hardware: All   
OS: All   
URL: http://www.kupchino.org.ru/unl0ck/advisories/vpopmail.txt
Whiteboard: C2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 57617    
Bug Blocks:    

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-08-18 21:14:26 UTC
not sure if we support vpopmail+sybase on gentoo but we should get 5.4.5 (see bug 57617) in portage
and marked stable.

no glsa needed for this one, risk is low.


                       .:: Security Advisory ::.
                  by unl0ck team [http://unl0ck.host.kz]
                               _  _     ___  _  __  _  _
             |  |  _  |  _   _  |/       |  |_ |__| |\/|
             |__| | | | |_| |_ _|\_      |  |_ |  | |  |


Advisory: #2 by unl0ck team
Bug: buffer overflow (sybase) and maybe SQL injection
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro@list.ru]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://unl0ck.host.kz/advisories


Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.

Details:
Bugs were founded in SyBase. In vsybase.c file.

-------------------\
 char dirbuf[156];  \__Vulnerability___________________________________________________
 ...                                                                                   |
 if ( strlen(dir) > 0 )                                                                |
 {                                                                                     |
 sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);                                         |
 ^^^^^^^ - buffer overflow                                                             |
 }else{                                                                                |
 sprintf(dirbuf, "%s/%s", dom_dir, user);                                              |
 ^^^^^^^ - buffer overflow                                                             |
 }                                                                                     |
 ...                                                                                   |
                                          _____________________________________________|
----------------------------------------/

To avoid this bugs, you must use snprintf() with format like "%s".

12/08/04.
(c) by unl0ck team.
http://unl0ck.host.kz/
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-18 22:35:11 UTC
It appears that the vulnerable code is not fixed in 5.4.5 (vsybase.c lines 185-187 and 192-196). 

http://www.securityfocus.com/archive/1/371913/2004-08-15/2004-08-21/0
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-08-20 11:36:03 UTC
vpopmail 5.4.6 has been released:

http://sourceforge.net/forum/forum.php?forum_id=400873

Posted By: tomcollins
Date: 2004-08-19 10:07
Summary: vpopmail 5.4.6 addresses SQL injection vulnerability.

We recommend that all vpopmail users upgrade to the 5.4.6 release, as it addresses SQL injection vulnerabilities. This code was tested in the 5.5.0 release from March, and has been in use on multiple production machines without any reported bugs.

Comment 3 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-08-20 11:40:29 UTC
some more details on what is fixed in 5.4.6:

http://sourceforge.net/mailarchive/forum.php?thread_id=5038575&forum_id=34827

From: Tom Collins <tom@to...>
Vpopmail 5.4.6 released  
2004-06-30 22:34

 http://vpopmail.sf.net/
 
 Release Notes:
 
 This release is identical to 5.4.5, but with the addition of all patches
 included in 5.5.0.
 
 These patches, related to the database backends, include code to
 protect against SQL exploits (where user-entered data isn"t escaped
 before placing it in a query).  All queries are built with a modified
 version of sprintf that escapes dangerous characters from strings.
 
 5.5.0 has been out for over 3 months with some people using it in
 production environments without any reports of problems.  Even so,
 this will be a devel release until others can do more production 
 testing.
 
 ChangeLog:
 
 Tom Collins
 - Consolidate table creation code in vmysql.c and vpgsql.c.
 - Increase SQL_BUF_SIZE from 600 to 2048 for Oracle, Postgres
    and Sybase.
 - Add qnprintf() to vpopmail.c for escaping strings in SQL queries.
 - Use qnprintf() when building queries in vmysql.c, vpgsql.c,
    voracle.pc, and vsybase.c.
 - Multiple fixes to vpgsql.c related to freeing PGresults and
    attempting to access NULL PGresults when reporting errors.
 

Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-08-20 11:42:30 UTC
more details on what was fixed in 5.4.5:

http://sourceforge.net/mailarchive/forum.php?thread_id=5005922&forum_id=34827

From: Tom Collins <tom@to...>
Vpopmail 5.4.5 released  
2004-06-25 18:18

 http://vpopmail.sf.net
 
 Release Notes:
 
 There are significant changes in here for MySQL and Postgres backends.
 
 If you had problems with Postgres and roaming users, you should
 definitely upgrade.
 
 If you"ve had errors stating "couldn"t create table/database because it
 already exists" with MySQL, you should definitely upgrade.
 
 ChangeLog:
 
 fernando (at) telemacro (dot) com (dot) br
 - Patch for vpgsql.c fixes bug with Postgres and roaming users
    (POP before SMTP). [895501]
 
 Fran
Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-08-20 11:42:30 UTC
more details on what was fixed in 5.4.5:

http://sourceforge.net/mailarchive/forum.php?thread_id=5005922&forum_id=34827

From: Tom Collins <tom@to...>
Vpopmail 5.4.5 released  
2004-06-25 18:18

 http://vpopmail.sf.net
 
 Release Notes:
 
 There are significant changes in here for MySQL and Postgres backends.
 
 If you had problems with Postgres and roaming users, you should
 definitely upgrade.
 
 If you"ve had errors stating "couldn"t create table/database because it
 already exists" with MySQL, you should definitely upgrade.
 
 ChangeLog:
 
 fernando (at) telemacro (dot) com (dot) br
 - Patch for vpgsql.c fixes bug with Postgres and roaming users
    (POP before SMTP). [895501]
 
 Fran├žoi Wautier
 - Fix method used to open database in vauth_open_update of
    vmysql.c. [967994, 946983]
 
 Pit Palme
 - Show "delete" as valid option to vdelivermail in docs. [951245]
 
 rstml
 - Hide error message during POP3 auth with Postgres. [915485]
 
 Tom Collins
 - Fix `vuserinfo -l` output, based on Bill Shupp"s patch
    (moved code to a single function call). [961742]
Comment 6 Tuan Van (RETIRED) gentoo-dev 2004-08-20 16:09:22 UTC
vpopmail-5.4.6 is in CVS. Thanks.
Comment 7 SpanKY gentoo-dev 2004-08-20 17:33:28 UTC
need some stable loving
Comment 8 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-21 12:09:29 UTC
tested and stable on ppc
Comment 9 Tuan Van (RETIRED) gentoo-dev 2004-08-21 13:37:03 UTC
stable on x86. remove x86 from CC. Still need sparc keyword.
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-08-21 19:04:28 UTC
ppc and x86: i'm just wondering how you 'tested' the ebuild, given the SRC_URI was wrong and RESTRICT=nouserpriv was removed. and well as the totally broken --enable-mysql being put back into the ebuild.

i've put -r1 into the tree, with fixes so that it can download, and build and work properly.
Comment 11 Tuan Van (RETIRED) gentoo-dev 2004-08-21 19:32:32 UTC
Sorry, It was my fault.
1. In an attempt to clean up SRI, I "backspace" two much without notice because I already have a tarball.
2. I bumped from vpopmail-5.4.0.ebuild instead vpopmail-5.4.0-r1.ebuild which have the fix for the broken --enable-mysql and the added RESTRICT=nouserpriv.

Again, sorry for any inconvenience that I've caused.
Comment 12 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-21 20:07:27 UTC
pvdabeel@dual-g5 vpopmail $ splat vpopmail
 * net-mail/vpopmail-5.4.6

        Emerged at: Sat Aug 21 21:07:51 2004
        Build time: 32 seconds

 * net-mail/vpopmail-5.4.6-r1

        Emerged at: Sun Aug 22 04:58:29 2004
        Build time: 1 minute, and 11 seconds

I downloaded the tarball manually, because the local sourceforge mirror kept timing out. Thought it was SF related. 

Anyway. As illustrated above, -r1 builds just fine on ppc too. 
Comment 13 Jason Wever (RETIRED) gentoo-dev 2004-08-21 21:20:07 UTC
Stable on sparc
Comment 14 Travis Tilley (RETIRED) gentoo-dev 2004-08-22 14:55:55 UTC
amd64 doesnt have an insecure version in stable to displace (we dont have any version stable). so i'm removing amd64 from CC without marking this version stable.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-25 23:32:46 UTC
x86 please mark stable

I agree with rajiv that if this issue was only with Sybase we would probably not issue a GLSA however from the Changelog reference and http://sourceforge.net/forum/forum.php?forum_id=400873 it seems clear that the SQL injection might not be limited to Sybase. 
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-01 08:36:34 UTC
GLSA 200409-01