Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608726 (CVE-2017-5930) - ~www-apps/postfixadmin-3.0.2: Arbitrary aliases can be deleted
Summary: ~www-apps/postfixadmin-3.0.2: Arbitrary aliases can be deleted
Status: RESOLVED FIXED
Alias: CVE-2017-5930
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Deadline: 2017-07-09
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q1/331
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: 604182
  Show dependency tree
 
Reported: 2017-02-09 10:37 UTC by Thomas Deutschmann
Modified: 2017-06-16 08:27 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-02-09 10:37:57 UTC
Due to insufficient permission checks a authenticated user is able to delete arbitrary aliases.

Upstream bug:

https://github.com/postfixadmin/postfixadmin/pull/23

Upstream patch:

https://github.com/svn2github/PostfixAdmin/commit/3b37e47b207f6f65b8dd22967c234ec518e3476a
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-02-09 10:39:47 UTC
@ Maintainer(s): Version in Gentoo repository (2.3.x) is _not_ affected. However, if you bump, please bump to >=www-apps/postfixadmin-3.0.2.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-08 10:22:42 UTC
Now PMASKED and scheduled for removal in 30 days.

If you are using www-apps/postfixadmin or want to keep the package in official Gentoo repository, it is now _your_ time to offer your help or this package will be removed in 30 days.

Non-Gentoo developer who wants to help can contribute through the Gentoo Proxy Maintainers project. See https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started for more information.
Comment 3 David Klaftenegger 2017-06-08 10:28:07 UTC
as per #c1 "Version in Gentoo repository (2.3.x) is _not_ affected."

Is removal really the way to go in this case?

Note that this guide uses postfixadmin:
https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/Admin_Support_Systems
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-08 10:35:56 UTC
You are right, 2.3.x is not affected. Nevertheless, package is unmaintained and we have to address bug 604182. We will see if the mask will bring us someone who cares about the package.

If not I'll rev bump and only remove ZendFramework integration which basically removes the xmlrpc interface and lift the mask.
Comment 5 Andrew 2017-06-10 09:46:00 UTC
+1
I'm interested in this project cause set up mail server according to gentoo guide and refered to this topic after noticed the mask.
Comment 6 Carlos Konstanski 2017-06-10 23:46:28 UTC
Just saw this come up as a package.mask removal message during an emerge @world. I'm starting from square one on this security issue, but I'd be willing to work on it if it means we can keep the package. Fixing the bug is sure to be less work than maintaining my mailserver without this tool. Wish the existence of this issue could have been announced sooner, perhaps via eselect news.
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-06-11 10:33:24 UTC
Non-Gentoo developer who wants to help can contribute through the Gentoo
Proxy Maintainers project. See
https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started
for more information.

There's already a request for maintainership, see bug 621236. However, that doesn't mean your contribution is no longer required. At the moment it is just a request. So please come up with a patch/pull request so that we can see that you are actual capable of maintaining the package. Also, it is always a good idea to work in teams. I encourage everyone who wants to help with postfixadmin to work together. More than one person can proxy-maintain the same package as long as you are working together.
Comment 8 Aaron W. Swenson gentoo-dev 2017-06-16 01:08:51 UTC
Unaffected version committed, and mask removed.

commit ac0e6ffd4e7879e451a7c0cef896e45fda46c47d
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Jun 15 21:05:03 2017 -0400

    www-apps/postfixadmin: Version Bump
    
    Version bump to fix security bug 608726.
    
    Updated to EAPI 6. Added myself and Proxy Maintainers. All are welcome
    to improve this ebuild through Proxy Maintainers, but I will,
    ultimately, take care of it.
    
    Bugs: 608726, 621236, 600542.
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.1
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-06-16 08:27:10 UTC
This was fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac0e6ffd4e7879e451a7c0cef896e45fda46c47d

Package is no longer masked.

Repository is clean, no affected version left in repository.