Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109381 - mail-mta/xmail: security update + init script forgets to copy resolve libs
Summary: mail-mta/xmail: security update + init script forgets to copy resolve libs
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2005-10-15 10:06 UTC by Ceesjan Luiten
Modified: 2005-12-14 09:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ceesjan Luiten 2005-10-15 10:06:01 UTC
After upgrading packages on my system the XMail server didn't download pop3link
mail any more - in debug mode it would print messages like this:

ErrCode   = -40
ErrString = Invalid server address
ErrInfo   = ***
[PSYNC/MASQ] MasqDomain = "," - RmtDomain = "***" -
RmtName = "quinox" Failed !

After some testing I found out that wget had the same problem in the chrooted
directory, and after some googling I found . Copying
those 3 files mentioned in that post:

to the /chroot/xmail/lib directory fixed my problem.

ATM the init script copies all libs mentioned in ldd XMail - The resolve libs
are not listed there. IMO these will have to be copied by the init.d script too
before starting XMail


XMail 1.22 has been released a few days ago and isn't in portage yet - it has a
security update to fix a buffer overflow with the local sendmail prog

Reproducible: Always
Steps to Reproduce:
Comment 1 Ceesjan Luiten 2005-12-10 03:36:30 UTC
Noone ? It is kind of bad if we leave an exploitable version of a mail server in
portage for this long :/
Comment 2 Andrea Barisani (RETIRED) gentoo-dev 2005-12-10 04:00:43 UTC
1.22 is masked in the tree (wait a few minutes for mirrors to pick it up), could
you please test it and see if it works for you so that I can remove the vuln
package and have the sec team issuing a GLSA?

(Moving to Security)
Comment 3 Ceesjan Luiten 2005-12-10 05:10:39 UTC
It compiles without any problems and it runs fine :)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-12-11 10:01:06 UTC
x86 or maintainer can go ahead and mark stable
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-12-12 07:23:57 UTC
Local exploitation of a buffer overflow vulnerability in XMail, as
distributed with multiple vendors' operating systems, allows local
attackers to execute arbitrary code with elevated privileges.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 09:52:40 UTC
GLSA 200512-05