Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135746 - mail-filter/spamassassin: 3.1.3 & 3.0.6 fixes Remote Execution of Code vuln (CVE-2006-2447)
Summary: mail-filter/spamassassin: 3.1.3 & 3.0.6 fixes Remote Execution of Code vuln (...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa] Falco
: 135236 (view as bug list)
Depends on:
Reported: 2006-06-06 03:31 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2019-12-25 20:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-06 03:31:50 UTC
I assign the severity to major (C1) since the user usually can't check the emails received before they are filtered by spamassassin, so it behaves like a vulnerability against a server : the attacker only has to wait a few minutes or hour before the malicious email. So *1. And C because this vuln only occurs if the user modifies the init script or lauches spamd with particular options.

'3.1.3 fixes a remote code execution vulnerability if spamd is run with the
"--vpopmail" and "-P" options.  If either/both of those options are not
used, there is no vulnerability.  There was also a fix for the userstate
directory and prefs file not being created.'
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-06 03:35:41 UTC
Please bump 3.1.3 which was released yesterday
Comment 2 Christian Hartmann (RETIRED) gentoo-dev 2006-06-06 10:43:02 UTC
perl-herd done
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-06 10:51:26 UTC
ppc stable
Comment 4 René Nussbaumer (RETIRED) gentoo-dev 2006-06-06 11:45:16 UTC
Stable on hppa
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2006-06-06 11:47:52 UTC
stable on ppc64
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2006-06-06 13:36:16 UTC
No mo' spam fo' amd64 and x86...

(I swear, I'm about to strangle bugzilla today)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-06 14:58:11 UTC
sparc stable.
Comment 8 Thomas Cort (RETIRED) gentoo-dev 2006-06-07 16:43:09 UTC
alpha stable.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 22:46:05 UTC
Thanks arches, this one is ready for GLSA
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 04:40:59 UTC
Since spamd is run as root, is there a hazard that the code would be executed as root ??
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-10 06:06:07 UTC
*** Bug 135236 has been marked as a duplicate of this bug. ***
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-10 06:11:10 UTC
Unless you specify the -u option in /etc/conf.d/spamd it will run as root.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-11 13:06:24 UTC
GLSA 200606-09.

ia64 please don't forget to mark stable to benifit from the GLSA.
Comment 14 Christian Hartmann (RETIRED) gentoo-dev 2006-06-19 22:49:07 UTC
Don't forget about mips.