Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135005 - mail-mta/courier DoS issue (CVE-2006-2659)
Summary: mail-mta/courier DoS issue (CVE-2006-2659)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.courier-mta.org/beta/patch...
Whiteboard: B3 [glsa] jaervosz
Keywords:
: 134262 (view as bug list)
Depends on: 140883
Blocks:
  Show dependency tree
 
Reported: 2006-05-31 02:13 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-10-15 05:33 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Updated mailer.conf for mailwrapper support (mailer.conf,197 bytes, text/plain)
2006-07-12 17:15 UTC, Jason Wever (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-05-31 02:13:15 UTC
2006-05-23  Mr. Sam  <mrsam@courier-mta.com>

	* courier/libs/comverp.c (verp_encode): Fix bug in encoding of
	usernames that contain '='.
Comment 1 Marcin Semeniuk 2006-06-04 22:13:50 UTC
bug 134262 is the same bug.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 05:03:31 UTC
This bug sould be merged with bug 134262 and bug 134262 sould be assigned to security team, so that the security process could be completed, including the final GLSA vote.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 05:05:47 UTC
it is 	CVE-2006-2659
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-08 05:10:22 UTC
*** Bug 134262 has been marked as a duplicate of this bug. ***
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-08 05:12:46 UTC
swtaylor please advise and patch as necessary.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-30 08:55:42 UTC
Perhaps someone from net-mail will help on this one?
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-05 23:26:58 UTC
Vapier/Solar/Taviso no response from mail to swtayloer, will you try a bump?
Comment 8 Luca Longinotti (RETIRED) gentoo-dev 2006-07-10 17:26:44 UTC
mail-mta/courier-0.53.2 is in the tree now, which fixes the security issue and a few other bugs, thanks to Marcin Semeniuk (a user) that provided updated ebuilds in another bug. I want to stress that I only did the version bump for security, I won't maintain mail-mta/courier myself as I don't use it anywhere.
Best regards, CHTEKK.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-11 00:51:42 UTC
Thx Luca.

Arches please test and mark stable.
Comment 10 Joshua Jackson (RETIRED) gentoo-dev 2006-07-11 21:39:16 UTC
forgetting you have courier working locally = doh!

x86 done, as it all worked for me in that reguards. I'm going to take a nap now.

Z_Z
Comment 11 Jason Wever (RETIRED) gentoo-dev 2006-07-12 15:39:05 UTC
courier dies if "test" is in FEATURES because something it does via make check spits out;

Making check in imap
make[1]: Entering directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make  check-am
make[2]: Entering directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
=============================
Do not run make check as root
=============================
make[2]: *** [check-am] Error 1
make[2]: Leaving directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make[1]: *** [check] Error 2
make[1]: Leaving directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap'
make: *** [check-recursive] Error 1

!!! ERROR: mail-mta/courier-0.53.2 failed.
Call stack:
  ebuild.sh, line 1539:   Called dyn_test
  ebuild.sh, line 987:   Called src_test
  ebuild.sh, line 618:   Called die

Will continue testing, but should be disabled.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2006-07-12 17:15:46 UTC
Created attachment 91607 [details]
Updated mailer.conf for mailwrapper support

At the request of langthang, I re-built courier with FEATURES="userpriv test" and the tests run fine.

On another note, the mailer.conf file for USE="mailwrapper" support provided in ${FILESDIR} is broken.  The path to sendmail.courier has changed from /usr/sbin to /usr/bin.  Attached is an updated version of it with the right pathings.
Comment 13 Luca Longinotti (RETIRED) gentoo-dev 2006-07-14 10:09:06 UTC
mailer.conf was updated as per attachment and the ebuild had a src_test added that will only execute the tests if FEATURES="userpriv" is present, else it will warn the user about the need of it to make check.
Best regards, CHTEKK.
Comment 14 Jason Wever (RETIRED) gentoo-dev 2006-07-16 14:06:15 UTC
SPARC sexy
Comment 15 Jason Wever (RETIRED) gentoo-dev 2006-07-16 15:14:31 UTC
This time I'll even remove SPARC from the CC! :)

Your hourly bug spam brought to you by jforman's goats.
Comment 16 Jakub Moc (RETIRED) gentoo-dev 2006-07-18 02:12:38 UTC
Could someone investigate the missing patch that should (?) get applied w/ USE="-fam"? (Bug 140883) AFAICS that patch just never existed.
Comment 17 Tuan Van (RETIRED) gentoo-dev 2006-07-18 09:15:25 UTC
(In reply to comment #16)
> Could someone investigate the missing patch that should (?) get applied w/
> USE="-fam"? (Bug 140883) AFAICS that patch just never existed.
> 

it looks like swtaylor bumped courier-0.48.2.20050130.ebuild to fix bug #69630 but forgot to commit fam-disable-check.patch.
http://sources.gentoo.org/viewcvs.py/gentoo-x86/mail-mta/courier/courier-0.48.2.20050130.ebuild?hideattic=0&rev=1.3&view=markup
one can port that patch from courier-imap but as far as security concern this isn't a regression.

BTW, tsunam mark 52.2 x86 instead of 53.2. re-add x86.
Comment 18 Tuan Van (RETIRED) gentoo-dev 2006-07-18 09:40:44 UTC
(In reply to comment #17)
> as far as security concern this
> isn't a regression.

I take it back. The last known stable ebuild doesn't have that fam stuff in there.  Guess we have to yank fam related stuff out and do a revision bump later with fam goodness.
Comment 19 Tuan Van (RETIRED) gentoo-dev 2006-07-18 14:51:03 UTC
bug 140883 is fixed. please back to your regular schedule. Sorry for the interruption.
Comment 20 Joshua Jackson (RETIRED) gentoo-dev 2006-07-20 00:02:06 UTC
perhaps its the right version this time.
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2006-07-22 02:03:37 UTC
Already ppc stable.
Comment 22 Thomas Cort (RETIRED) gentoo-dev 2006-07-22 08:40:10 UTC
alpha stable.
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2006-07-29 02:01:38 UTC
forgot to remove us.
Comment 24 Simon Stelling (RETIRED) gentoo-dev 2006-07-31 01:33:29 UTC
amd64 done, sorry for the delay.
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-31 02:48:06 UTC
I tend to vote YES.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2006-07-31 13:43:50 UTC
usernames containing '=' ?? Voting no.
Comment 27 Matthias Geerdsen (RETIRED) gentoo-dev 2006-07-31 14:42:16 UTC
recipients with = seem pretty uncommon... nevertheless i tend to vote yes on this one (a really small yes though)
Comment 28 Wolf Giesen (RETIRED) gentoo-dev 2006-07-31 22:07:43 UTC
I'd say it would depend on whether usernames would have to be *valid*. If NOT, I'd vote YES. But I couldn't find info that anywhere.

Can somebody who actually worked on the code tell?
Comment 29 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-01 00:45:22 UTC
Mail gateways or mailing list servers usually don't have any chance of validating the username.
Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-01 10:32:08 UTC
i vote no; username with "=" is rather uncommon, isn't it ?
Comment 31 Wolf Giesen (RETIRED) gentoo-dev 2006-08-02 00:07:50 UTC
Sune is right IMHO (#29), and I vote "yes", too, because of that.
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2006-08-02 06:22:19 UTC
Reverting to yes.
Comment 33 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-03 22:05:30 UTC
ia64 don't forget to mark stable to benifit from the GLSA.

GLSA 200608-06