Bug 88904

Summary:	mail-filter/gld: Format String Flaws and Buffer Overflows
Product:	Gentoo Security	Reporter:	Jean-François Brunette (RETIRED) <formula7>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	blocker	CC:	net-mail+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://securitytracker.com/alerts/2005/Apr/1013678.html
Whiteboard:	B0 [glsa] jaervosz
Package list:		Runtime testing required:	---

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-04-12 15:25:14 UTC

Version(s): 1.3, 1.4
Description:  dong-hun you from INetCop Security reported several vulnerabilities in Gld. A remote user can obtain root privileges.

The 'server.c' file contaisn several buffer overflows. A remote user can supply specially crafted input to trigger a buffer overflow and execute arbitrary code.

The 'cnf.c' file contains several format string vulnerabilities, where user-supplied data is not properly validated and is passed to a syslog() call without the appropriate format string specifier. A remote user can supply specially crafted input to execute arbitrary code with root privileges.
Impact:  A remote user can execute arbitrary code with root privileges.

Solution:  No solution was available at the time of this entry.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-12 23:07:09 UTC

auditors and/or net-mail please advise.

Comment 2 rob holland (RETIRED) gentoo-dev

2005-04-13 02:12:38 UTC

despite the various "this is safe" comments in the source code, it hasn't been thought out so well.

perl -e 'print "request=" . ("x" x 2000) . "\n\n"' | nc localhost 2525

Overflow at: server.c:265

strcpy without proper length checks (despite comments in the code which say otherwise).

attacker decides what lands on the stack, so its easily exploitable.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 02:55:24 UTC

Has upstream been informed about this?

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 03:02:53 UTC

Bummer, cached page here. 1.5 is released today. 

net-mail please bump.

Comment 5 Andrej Kacian (RETIRED) gentoo-dev

2005-04-13 03:04:33 UTC

I'll do it.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 03:15:30 UTC

Default config IS affected -> upgrading severity.

net-mail please provide a better default than this:

#
# Shall we bind only to loopback ? (0=No,1=Yes) (default is 0)
#
LOOPBACKONLY=0

#
# The list of networks allowed to connect to us (default is everybody)
# The format is network/cidrmask,....
#
# Uncomment the line to activate it.
#
#CLIENTS=192.168.168.0/24 172.16.0.0/19 127.0.0.1/32

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 03:24:28 UTC

net-mail please also fix the default user. Right now the default config make it run with root privs:

#
# The user used to run gld (default value is no user change)
# uncomment the line to activate it.
#
#USER=nobody

#
# The group used to run gld (default value is no group change)
# uncomment the line to activate it.
#
#GROUP=nobody

Comment 8 Andrej Kacian (RETIRED) gentoo-dev

2005-04-13 03:30:42 UTC

Ebuild for 1.5 in portage, x86 stable.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 03:42:11 UTC

amd64 please test and mark stable ASAP.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 03:56:12 UTC

amd64 please cvs up if you're already started:

[12:56:33] <@Ticho> jaervosz: updated the gld ebuild, since it installed few files in wrong places

Comment 11 Andrej Kacian (RETIRED) gentoo-dev

2005-04-13 04:35:25 UTC

It seems to work just fine on a busy amd64 mailserver I admin. Marked stable on amd64.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 04:37:46 UTC

Thx everyone. This one is ready for glsa.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-04-13 05:23:06 UTC

GLSA 200504-10