Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 480376 (CVE-2013-4223) - <mail-mta/nullmailer-1.11-r2 : world readable /etc/nullmailer/remotes (CVE-2013-4223)
Summary: <mail-mta/nullmailer-1.11-r2 : world readable /etc/nullmailer/remotes (CVE-20...
Alias: CVE-2013-4223
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-08-09 14:15 UTC by redneb
Modified: 2013-09-25 12:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description redneb 2013-08-09 14:15:50 UTC
The file /etc/nullmailer/remotes contains plaintext passwords to remote smtp severs. I think it would be a good idea to install it with more restrictive permissions. I tried with root:nullmail / 0640 and it seems that everything works without any issues. The ebuild for mail-mta/ssmtp does a similar thing for its equivalent file. Here's the relevant snippet from that ebuild:

	if ! use prefix; then
		fowners root:ssmtp /etc/ssmtp/ssmtp.conf
		fperms 640 /etc/ssmtp/ssmtp.conf
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-09 16:21:13 UTC
This becomes a security bug from now, thanks for the report
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-08-09 16:45:41 UTC

Arches, please stabilize nullmailer-1.11-r2.

Target keywords:
amd64 ppc x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-10 10:53:09 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-10 12:07:59 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-28 12:10:48 UTC
x86 stable
Comment 6 Sergey Popov gentoo-dev 2013-09-04 05:49:09 UTC
Thanks for your work

GLSA vote: no
Comment 7 Justin Lecher (RETIRED) gentoo-dev 2013-09-25 10:18:07 UTC
+*nullmailer-1.13-r2 (25 Sep 2013)
+  25 Sep 2013; Justin Lecher <> -nullmailer-1.11.ebuild,
+  -nullmailer-1.11-r1.ebuild, nullmailer-1.11-r2.ebuild,
+  nullmailer-1.11-r3.ebuild, -nullmailer-1.13.ebuild,
+  -nullmailer-1.13-r1.ebuild, +nullmailer-1.13-r2.ebuild,
+  +files/init.d-nullmailer-r3:
+  Drop old vulnerable versions, #480376; respect AR, #480394; make paludis
+  happy, #462846 thanks Thomas Witt for the patch; fix broken openrc
+  initscript, #480354

Removed all versions in question.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 12:57:55 UTC
GLSA vote: no. Closing noglsa.