Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 95492

Summary: mail-filter/razor Denial of Service vulnerabilities.
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mail, rsoderberg, slarti
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
full emerge log none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-06-08 13:33:02 UTC
Razor appears to be vulnerable to overly long Content-Type headers like SpamAssassin (bug #94722).
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-08 13:34:20 UTC
Waiting for upstream fix. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:21:25 UTC
2.71 is in.
Not sure this is widely public, so calling arch liaisons to test and mark stable.
x86->tester
amd64->blubb
ppc->hansmi
sparc->gustavoz
alpha->kloeri
Target KEYWORDS="x86 ppc sparc alpha amd64"
Comment 3 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-16 09:57:03 UTC
Adding lu_zero as I'm busy.
Comment 4 Simon Stelling (RETIRED) gentoo-dev 2005-06-16 10:01:59 UTC
adding luckyduck as i'm currently busy
Comment 5 Luca Barbato gentoo-dev 2005-06-16 10:06:46 UTC
there is any standard way to test it?
Comment 6 Jan Brinkmann (RETIRED) gentoo-dev 2005-06-16 10:27:09 UTC
Can't even merge it on amd64:

Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
Writing
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
Appending installation info to
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
/usr/bin/razor-client
make: /usr/bin/razor-client: Command not found
make: *** [install_razor_agents] Error 127

!!! ERROR: mail-filter/razor-2.71 failed.
!!! Function perl-module_src_install, Line 132, Exitcode 2
!!! (no error message)
!!! If you need support, post the topmost build error, NOT this status message.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 11:15:39 UTC
Now public
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 11:15:55 UTC
*** Bug 96293 has been marked as a duplicate of this bug. ***
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 11:18:18 UTC
Adding arch aliases
Comment 10 Richard Soderberg 2005-06-16 11:21:48 UTC
> Not sure this is widely public, so calling arch liaisons to test and mark stable.

Yep, not widely public.
Comment 11 Richard Soderberg 2005-06-16 11:25:07 UTC
(In reply to comment #6)
> Can't even merge it on amd64:
> 
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
> Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
> Writing
>
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
> Appending installation info to
> /var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
> /usr/bin/razor-client
> make: /usr/bin/razor-client: Command not found
> make: *** [install_razor_agents] Error 127
> 
> !!! ERROR: mail-filter/razor-2.71 failed.
> !!! Function perl-module_src_install, Line 132, Exitcode 2
> !!! (no error message)
> !!! If you need support, post the topmost build error, NOT this status message.

2.71 was released to address this issue in 2.70, but seems not to have fixed
every case.  Can you provide the full build log especially including the line
'perl Makefile.PL ...'?  In Makefile.PL we do
$(DESTDIR)$(INSTALLSCRIPT)/razor-client to build the symlinks, but this method
is likely to be changed soon seeing as how it's causing problems.
Comment 12 Richard Soderberg 2005-06-16 11:25:31 UTC
(In reply to comment #6)
> Can't even merge it on amd64:
> 
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agents.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-agent.conf.5
> Installing /var/tmp/portage/razor-2.71/image/usr/man/man5/razor-whitelist.5
> Installing /var/tmp/portage/razor-2.71/image/usr/bin/razor-client
> Writing
>
/var/tmp/portage/razor-2.71/image//usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/auto/razor-agents/.packlist
> Appending installation info to
> /var/tmp/portage/razor-2.71/image//usr/lib/perl5/5.8.5/x86_64-linux/perllocal.pod
> /usr/bin/razor-client
> make: /usr/bin/razor-client: Command not found
> make: *** [install_razor_agents] Error 127
> 
> !!! ERROR: mail-filter/razor-2.71 failed.
> !!! Function perl-module_src_install, Line 132, Exitcode 2
> !!! (no error message)
> !!! If you need support, post the topmost build error, NOT this status message.

2.71 was released to address this issue in 2.70, but seems not to have fixed
every case.  Can you provide the full build log especially including the line
'perl Makefile.PL ...'?  In Makefile.PL we do
$(DESTDIR)$(INSTALLSCRIPT)/razor-client to build the symlinks, but this method
is likely to be changed soon seeing as how it's causing problems.
Comment 13 Luca Barbato gentoo-dev 2005-06-16 11:30:56 UTC
Same issue on ppc.

A full log will follow shortly
Comment 14 Luca Barbato gentoo-dev 2005-06-16 11:38:40 UTC
Created attachment 61345 [details]
full emerge log

I hope it helps
Comment 15 Richard Soderberg 2005-06-16 11:42:32 UTC
(In reply to comment #14)
> Created an attachment (id=61345) [edit]
> full emerge log
> 
> I hope it helps

Almost :)  It doesn't show the 'perl Makefile.PL' command, which is right at the
source of the bug.  I'm trying to find some hardware here that I can build up
all the perl packages on to try this, but I think we're just going to release a
2.72 with this issue fixed for good.
Comment 16 Tom Martin (RETIRED) gentoo-dev 2005-06-16 11:46:33 UTC
Damn, sorry about that, this error only occurs if you didn't have razor
installed earlier (obviously), and I didn't unmerge then remerge when testing
because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
2.72 as soon as it's ready.
Comment 17 Richard Soderberg 2005-06-16 12:15:31 UTC
(In reply to comment #16)
> Damn, sorry about that, this error only occurs if you didn't have razor
> installed earlier (obviously), and I didn't unmerge then remerge when testing
> because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
> 2.72 as soon as it's ready.

No worries, thanks for passing along the information.
Comment 18 Richard Soderberg 2005-06-16 15:10:41 UTC
(In reply to comment #16)
> Damn, sorry about that, this error only occurs if you didn't have razor
> installed earlier (obviously), and I didn't unmerge then remerge when testing
> because I was in a bit of a hurry to get it bumped for this bug. I'll bump to
> 2.72 as soon as it's ready.

2.72 is now released to sourceforge; we ripped out the symlinks and custom
Makefile stuff that's been causing problems for package maintainers everywhere.
 No user-visible changes to this release; I'll keep watch on this bug to see how
it goes.
Comment 19 Tom Martin (RETIRED) gentoo-dev 2005-06-17 01:38:12 UTC
(In reply to comment #18)
> 2.72 is now released to sourceforge; we ripped out the symlinks and custom
> Makefile stuff that's been causing problems for package maintainers everywhere.
>  No user-visible changes to this release; I'll keep watch on this bug to see how
> it goes.

I've added the new ebuild to CVS.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 02:45:25 UTC
Back to arches stableization
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-17 06:02:41 UTC
sparc happy.
Comment 22 Luca Barbato gentoo-dev 2005-06-17 06:26:31 UTC
ppc too
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-17 07:56:14 UTC
Bug #96293 was in fact not a dupe but apparently contains another issue:  
 
--- 
Vipul has released razor-agents 2.71 to address two critical issues in all  
prior razor-agents.  One of these issues addresses a bug in the discovery  
logic, where a razor-agent that cannot reach the discover server may go into  
an infinite loop until discover is available, slowly leaking memory and  
eventually crashing the system. 
--- 
 
I guess the other is the Content-Type bug similar to SA. 
Cannot find any upstream reference to this issue and didn't realize that 
Richard was a Razor dev (Sorry Richard). I'll draft the GLSA a few hours. 
Comment 24 Fernando J. Pereda (RETIRED) gentoo-dev 2005-06-17 12:26:03 UTC
alpha tasty !
Comment 25 Simon Stelling (RETIRED) gentoo-dev 2005-06-18 12:19:19 UTC
amd64 stable
Comment 26 Andrej Kacian (RETIRED) gentoo-dev 2005-06-18 13:03:19 UTC
x86 happy
Comment 27 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-19 09:22:56 UTC
The security implications of the discovery bug seems questionable and the DoS 
issue is rather limited, holding off GLSA for now. 
 
[18:15:21] <taviso> $ time razor-check viagra.txt  
[18:15:21] <taviso> real    0m1.331s 
[18:15:27] <taviso> $ time razor-check viagra2.txt  
[18:15:28] <taviso> real    0m13.325s 
 
Comment 28 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-19 21:50:15 UTC
Combined GLSA with bug #94722. 
Comment 29 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-20 23:23:40 UTC
GLSA 200506-17