Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234391 (CVE-2008-3962) - mail-mta/ssmtp <2.62-r3 unitialized memory disclosure (CVE-2008-3962)
Summary: mail-mta/ssmtp <2.62-r3 unitialized memory disclosure (CVE-2008-3962)
Status: RESOLVED FIXED
Alias: CVE-2008-3962
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 / B4 [noglsa]
Keywords:
Depends on:
Blocks: 236812
  Show dependency tree
 
Reported: 2008-08-10 17:18 UTC by Maurice van der Pot (RETIRED)
Modified: 2008-11-26 22:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Proposed misc fixes (ssmtp-2.62-off-by-one-typecasts-and-from-fix.patch,4.16 KB, patch)
2008-08-10 17:52 UTC, Maurice van der Pot (RETIRED)
Details | Diff
Updated patch. Removed fix for off-by-one that wasn't an off-by-one. (ssmtp-2.62-typecasts-and-from-fix.patch,3.95 KB, patch)
2008-08-21 17:57 UTC, Maurice van der Pot (RETIRED)
Details | Diff
ssmtp-unitialized-strdup.patch (ssmtp-unitialized-strdup.patch,293 bytes, patch)
2008-09-09 12:34 UTC, Robert Buchholz (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Maurice van der Pot (RETIRED) gentoo-dev 2008-08-10 17:18:19 UTC
In ssmtp.c the function fd_gets more or less looks like this:

char *fd_gets(char *buf, int size, int fd)
{
        while((i < size) && (fd_getc(fd, &c) == 1)) {
                        buf[i++] = c;
        }
        buf[i] = (char)NULL;
        return(buf);
}

Coming out of the loop, i can be size, causing a 0-byte to be written past the end of the buffer.

There are also lots of "char c = (char)NULL;" and "char *p = (char)NULL;" occurrences that may be indicative of careless programming and may warrant a code review.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-10 17:22:58 UTC
I agree on the off-by-one error, but initializing variables to NULL before using them seems a rather good practice to me, as it allows to find some bugs more easily. We'll probably have to contact upstream.
Comment 2 Maurice van der Pot (RETIRED) gentoo-dev 2008-08-10 17:52:09 UTC
Created attachment 162630 [details, diff]
Proposed misc fixes

In addition to fixing the "(char)NULL" things and the off-by-one, this also addresses a problem in from_format() that caused a call to strdup on a local buffer with uninitialized contents.

This last problem was introduced in 2.62 and was the reason I started looking at the source code in the first place (the From: line wasn't properly formatted).

I have not looked at the rest of the source, so I'm not claiming this is a complete solution.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 22:21:21 UTC
Concerning the potential off-by-one:
There is no off-by-one error if 'int size' is not the buffer size, but the maximum number of characters the buffer can contain (not counting the NUL). From my reading of the code, this is what happens:

The only call of that function is here:

int smtp_read(int fd, char *response)
{
	do {
		if(fd_gets(response, BUF_SZ, fd) == NULL) {
...

smtp_read() is called at several places, but all buffers that are passed as 'response' have been allocated as 'BUF_SZ + 1'. Am I missing something?
Comment 4 Maurice van der Pot (RETIRED) gentoo-dev 2008-08-21 07:27:07 UTC
You're right about the buffer size. 

Now if the strdup is not something that can be abused, then this can be demoted to a regular ssmtp bug.
Comment 5 Maurice van der Pot (RETIRED) gentoo-dev 2008-08-21 17:57:12 UTC
Created attachment 163507 [details, diff]
Updated patch. Removed fix for off-by-one that wasn't an off-by-one.

Updated patch.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 12:34:12 UTC
Created attachment 165005 [details, diff]
ssmtp-unitialized-strdup.patch

Just the security-relevant hunk.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 12:44:26 UTC
Opening to the public, please commit with the patch.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 15:09:23 UTC
CVE-2008-3962 has been assigned.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-09 19:49:22 UTC
2.62-r3 is inCVS.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-09-11 09:23:13 UTC
As Tomas Hoger pointed out, this has been a re-introduction of bug 127592 since that patch was dropped in the ebuild when 2.62 was bumped.

2.61 is also affected, but we patched it in 2006.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-12 14:08:07 UTC
(In reply to comment #10)
> As Tomas Hoger pointed out, this has been a re-introduction of bug 127592 since
> that patch was dropped in the ebuild when 2.62 was bumped.
> 
> 2.61 is also affected, but we patched it in 2006.
> 

only 2.61-r2 and 2.61-r31 where patched, but not -2.61-r30 which i apparantly used as a base for 2.62, thus the patch got dropped for 2.62. 2.61-r30 was always p.masked iirc. 
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 14:12:43 UTC
Arches, please test and mark stable:
=mail-mta/ssmtp-2.62-r3
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-12 15:22:50 UTC
Stable for HPPA.
Comment 14 Markus Meier gentoo-dev 2008-09-12 21:42:56 UTC
amd64/x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-09-13 16:22:16 UTC
alpha/ia64/sparc stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-09-17 14:44:47 UTC
ppc and ppc64 stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 12:57:29 UTC
It was only stable for a short timeframe and the issue is almost impossible to exploit. My vote is NO glsa.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-11-26 22:35:07 UTC
no too, and closing.