Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562034 - <mail-mta/opensmtpd-5.7.2 Multiple vulnerabilities
Summary: <mail-mta/opensmtpd-5.7.2 Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.opensmtpd.org/announces/r...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-02 11:27 UTC by Manuel Rüger (RETIRED)
Modified: 2016-01-27 06:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2015-10-02 11:27:44 UTC
Issues fixed in this release (since 5.7.1):
===========================================

- an oversight in the portable version of fgetln() that allows attackers
  to read and write out-of-bounds memory;

- multiple denial-of-service vulnerabilities that allow local users to
  kill or hang OpenSMTPD;

- a stack-based buffer overflow that allows local users to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;

- a hardlink attack (or race-conditioned symlink attack) that allows
  local users to unset the chflags() of arbitrary files;

- a hardlink attack that allows local users to read the first line of
  arbitrary files (for example, root's hash from /etc/master.passwd);

- a denial-of-service vulnerability that allows remote attackers to fill
  OpenSMTPD's queue or mailbox hard-disk partition;

- an out-of-bounds memory read that allows remote attackers to crash
  OpenSMTPD, or leak information and defeat the ASLR protection;

- a use-after-free vulnerability that allows remote attackers to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2015-10-02 12:50:20 UTC
@Jason: Please do not fix security bugs yourself. We further need to stabilize 5.7.2 on amd64 and x86 (and clean up the vulnerable versions after that).

If you as the maintainer are okay with stabilizing 5.7.2, please add arches.
Comment 2 Jason A. Donenfeld gentoo-dev 2015-10-02 12:54:04 UTC
I had already done all of those things before closing the bug, actually.
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-10-02 13:04:30 UTC
@Jason: Thanks for your quick response
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 15:06:25 UTC
CVE Requested here - http://seclists.org/oss-sec/2015/q4/34
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-01-27 06:52:38 UTC
This issue was resolved and addressed in
 GLSA 201601-04 at https://security.gentoo.org/glsa/201601-04
by GLSA coordinator Sergey Popov (pinkbyte).