Verified in mail-mta/ssmtp-2.61-r1, which is the latest I see in portage. ssmtp allows you to specify a mail relay in /etc/ssmtp/ssmtp.conf which requires a username and password. For example, this is a valid ssmtp.conf: mailhub=mail.1dnb.com rewriteDomain=mail.1dnb.com #hostname= FromLineOverride=YES #UseTLS=NO UseSTARTTLS=YES AuthUser=me@ben-xo.com AuthPass=123456 AuthMethod=LOGIN naturally, my AUTH SMTP password is in there - so I have done the following: chown root:mail /etc/ssmtp/ssmtp.conf chmod 640 /etc/ssmtp/ssmtp.conf chown root:mail /usr/sbin/ssmtp chmod 2711 /usr/sbin/ssmtp giving... -rw-r----- 1 root mail 1279 2006-05-05 19:39 /etc/ssmtp/ssmtp.conf -rwx--s--x 1 root mail 27268 2006-05-05 19:28 /usr/sbin/ssmtp ...as intended. however, as an unprivileged user, xo@marshmallow ~ $ mail -v -s 'This is a test.' test@gentoo.org Hi. Nothing else. Cc: [<-] 220 rain.1dnb.com ESMTP [->] EHLO marshmallow [<-] 250 SIZE 0 [->] STARTTLS [<-] 220 ready for tls [->] EHLO marshmallow [<-] 250 SIZE 0 [->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [<-] 334 UGFzc3dvcmQ6 [->] MTIzNDU2 [<-] 235 ok, go ahead (#2.0.0) [->] MAIL FROM:<xo@mail.1dnb.com> [<-] 250 ok [->] RCPT TO:<test@gentoo.org> [<-] 250 ok [->] DATA [<-] 354 go ahead [->] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:23:02 +0100 [->] From: xo@mail.1dnb.com [->] Date: Fri, 5 May 2006 21:23:02 +0100 [->] To: test@gentoo.org [->] Subject: This is a test. [->] [->] Hi. Nothing else. [->] . [<-] 250 ok 1146860502 qp 8976 [->] QUIT [<-] 221 rain.1dnb.com All I can say is... oops. As you can see, the password is quite clearly visible in the output (albeit base64 encoded). Patch attached that removes this specific information leak (the rest of the info is left in for debugging). A more secure (optional?) patch would possibly remove the username, or the -v option altogether. with the patch, we get the following output instead: xo@marshmallow ~ $ mail -v -s "a test! hah." me@ben-xo.com Hi. This is all, 2. Cc: [<-] 220 rain.1dnb.com ESMTP [->] EHLO marshmallow [<-] 250 SIZE 0 [->] STARTTLS [<-] 220 ready for tls [->] EHLO marshmallow [<-] 250 SIZE 0 [->] AUTH LOGIN bWVAYmVuLXhvLmNvbQ== [<-] 334 UGFzc3dvcmQ6 [<-] 235 ok, go ahead (#2.0.0) [->] MAIL FROM:<root@mail.1dnb.com> [<-] 250 ok [->] RCPT TO:<me@ben-xo.com> [<-] 250 ok [->] DATA [<-] 354 go ahead [->] Received: by marshmallow (sSMTP sendmail emulation); Fri, 5 May 2006 21:26:59 +0100 [->] From: "root" <root@mail.1dnb.com> [->] Date: Fri, 5 May 2006 21:26:59 +0100 [->] To: me@ben-xo.com [->] Subject: a test! hah. [->] [->] Hi. This is all, 2. [->] . [<-] 250 ok 1146860738 qp 31085 [->] QUIT [<-] 221 rain.1dnb.com
Created attachment 86218 [details, diff] always set minus_v to False when spitting out password
does this package originally come from debian...? guess it would need to go upstream. I feel a lot more "comfortable" posting it here though, I don't use Debian for anything.
lcars, sounds like another thing for you? please have a look, thanks
Reassigning to security since bug-wranglers are not able to see security restricted bugs.
Thanks Stefan / Sune, it wasn't obvious to me that ticking "Gentoo Security" was not enough for this bug to be seen by the appropriate assignee.
busy this week but I'll try to take a look soon, will try to contact upstream about it. (it would probably require a GLSA as well, or at least I'll vote for it)
(In reply to comment #3) > lcars, sounds like another thing for you? please have a look, thanks > No time this and next week to sort this (travelling), so if you have someone else that can look at it please proceed. thx
Andrea any news on this one?
i reported it upstream with no response or acknowledgement other than the automated debian thingy. either the maintainer's gone awol, or i'm doing something wrong (which is definitely possible :)
Any news on this one?
The latest I see in portage is now ssmtp-2.61-r31, which by inspecting the ebuild does not appear to patch for this bug
3 months later...?
(In reply to comment #12) > 3 months later...? Andrea has been very busy lately and hasn't had much time to look at things -- I suggest you send off a report to the vendor-sec list <vendor-sec@lst.de> as this affects several distributions (Debian, Gentoo, Ubuntu, possibly some others).
ok, thanks for your suggestion. I have now done so. :) Sorry, I didn't mean to put unwanted pressure on busy people.
Rerating as this seems to be a B4.
sorry, but while you may want to take this up with the author, giving random applications sgid and then being able to own them is not a security issue. Obviously I would suggest you ask the author to add support for privileged operation to smtp. RESOLVED => WONTFIX.
surely there should be at the very least some documentation that mail-mta/ssmtp is inherently insecure and should not be used in the (perfectly reasonable) configuration i described? i am unlikely to be the only person with a shared system that has a mailhub that requires a password that is using the default Gentoo smtp client. i find it quite disturbing that it's the default client if you do not recommend using it in what seems to me to be a perfectly typical configuration. If you think I should open my concern under a new bug (perhaps as a documentation bug?), then I certainly will.
Ben: I think it's a perfectly reasonable feature request, and i see no reason why the author would turn it down, and even if he does, I'm sure you could convince our maintainer to add it..it seems like a good idea to me. I just dont think we can consider this a security bug, if you were to refile it as an application bug, I'm sure the maintainer would take a look at it.
*** Bug 187841 has been marked as a duplicate of this bug. ***
