Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562290 - <mail-mta/opensmtpd-5.7.3_p1: Multiple vulnerabilities
Summary: <mail-mta/opensmtpd-5.7.3_p1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q4/25
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-05 10:32 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-01-27 06:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-05 10:32:46 UTC 
From ${URL}:
Hi folks,

I'm passing the gauntlet for anyone who wants to analyze this for
impact etc. There's a remotely triggerable buffer overflow in
OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachable by
sending messages with huge header lines. Qualys recently published a
result of a big audit, but it seems like they based their
investigations primarily on an older version of OpenSMTPD that didn't
have as much of the "filter" infrastructure. I'd recommend interested
parties spend some time looking through the filter code, as there
could be more problems. Here's a vulnerability in the filter io path:
##
Already stabilized, bug added for tracking purposes with regards to GLSA and CVE assignment

Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-05 10:33:27 UTC 
Adding to existing GLSA
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-05 18:20:24 UTC 
Updating this bug to reflect the further security issues announced today as well

From http://seclists.org/oss-sec/2015/q4/34: 
OpenSMTPD 5.7.3 was released with fixes, and the release notes follow
below. There may be other vulnerabilities also fixed by this release.
A full diff follows for analysis and additional CVE assignment, in
case that is necessary.

Thanks,
Jason

[1] http://seclists.org/oss-sec/2015/q4/25


---------- Forwarded message ----------
From: Gilles Chehade <gilles () poolp org>
Date: Mon, Oct 5, 2015 at 3:30 PM
Subject: Announce: OpenSMTPD 5.7.3 released
To: misc () opensmtpd org

[snipped]

Issues fixed in this release (since 5.7.2):
===========================================

- fix an mda buffer truncation bug which allows a user to create forward
  files that pass session checks but fail delivery later down the chain,
  within the user mda [0]
- fix remote buffer overflow in unprivileged pony process [1]
- reworked offline enqueue to better protect against hardlink attacks [2]


[0] reported by Holger Jahn
[1] reported by Jason A. Donenfeld
[2] reported by Qualys Security
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 15:11:10 UTC 
CVE Requested - http://seclists.org/oss-sec/2015/q4/34
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-01-27 06:52:45 UTC 
This issue was resolved and addressed in
 GLSA 201601-04 at https://security.gentoo.org/glsa/201601-04
by GLSA coordinator Sergey Popov (pinkbyte).