PROGRAM: metamail VENDOR: Bell Communications Research, Inc. (Bellcore) DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/ http://ftp.funet.fi/pub/unix/mail/metamail/ VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others IMMUNE VERSIONS: 2.7 with my patch applied REFERENCES: CAN-2004-0104 (format string bugs) CAN-2004-0105 (buffer overflows) http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html
net-mail herd -- need a confirm/action on this.
netmail folks?
Confirmed : format string and buffer overflows : http://www.kb.cert.org/vuls/id/518518 http://www.kb.cert.org/vuls/id/513062 Already published advisories include http://www.debian.org/security/2004/dsa-449 This package is not maintained upstream. We should either drop it or apply the latest Debian package patch : http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2.diff.gz net-mail folks ? -K
it's more than two months now - do you still read the forrester study? :)
net-mail was recently reorganized, so hopefully someone can take the metamail package and bump the ebuild to the latest Debian patch (see comment above) ? Thanks in advance, -K
masking this package for security reasons.
geez Hardmasking this packages leaves me with a broken portage: it constantly complains about not having metamail ready since sylpheed-claws has a dep on it. I don't want insecure software in portage either and don't have a solution for this as for now, but something like that should not happen! I'll try to grab the source directly which I did for the last metamail-version I have on my system too because the genpatches just did not work.
You're welcome to submit an updated ebuild. Otherwise, you can also unmask the package as described in the /usr/portage/profiles/package.mask file.
I'm on this, give me a few minutes
Created attachment 31204 [details] ebuild using new debian patch
Jason, thanks for the ebuild -- I'd already had one in the works with a different patch and a different tweak in it. Anyway, people, 2.7.45.3 is in portage -- Arch maintainers, please test and stabilise.
arches -- please test/mark stable.
Stable on alpha.
Are the automake and autoconf errors that show up right after the patch expected? * Applying metamail_2.7-45.3.diff... [ ok ] ls: ./acinclude.m4: No such file or directory automake: Makefile.am: required file `./NEWS' not found automake: Makefile.am: required file `./AUTHORS' not found automake: Makefile.am: required file `./ChangeLog' not found FATAL ERROR: Autoconf version 2.50 or higher is required for this script FATAL ERROR: Autoconf version 2.50 or higher is required for this script >>> Source unpacked.
Once seemant's patch-fu was added, it now works great and spits out no errors. Stable on sparc
When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I
When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I´m still n00b :-/
I just found http://www.gentoo.org/doc/en/portage-manual.xml#doc_chap3_sect2 again, so now I should be able to apply the fixed ebuild.
Target keywords = "x86 ppc alpha ia64 sparc s390 ~amd64 ~hppa" ppc, ia64, s390 : please mark stable
Stable on s390
ppc, ia64 : please mark stable
Marked ppc
GLSA 200405-17