Debian Bug report logs - #301428
smail: security: heap overflow.

version graph

Package: smail; Maintainer for smail is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 25 Mar 2005 21:03:20 UTC

Severity: grave

Tags: patch, security

Found in version 3.2.0.114-4

Done: Héctor García <hector@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: smail: Remote and local vulnerabilities can be exploited to obtain root access
Date: Fri, 25 Mar 2005 21:54:27 +0100
[Message part 1 (text/plain, inline)]
Package: smail
Severity: grave
Tags: security patch
Justification: user security hole

[Dear security-team, this should affect Woody as well]

Sean <infamous41md@hotpop.com has discovered two vulnerabilities in smail,
that can be exploited to obtain root privileges:

1. A heap overflow in RFC 821 header parsing permits remote attackers that
are able to connect to an SMTP server remote code execution with root
privileges.
2. Insecure signal handling may be exploitable to obtain extended privileges
for local users as well.

For full details see
http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0

It contains a fix for the heap overflow, which I attach to this report.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
[smail-heap-overflow.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Héctor García Álvarez <hector@debian.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #10 received at 301428@bugs.debian.org (full text, mbox):

From: Héctor García Álvarez <hector@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 301428@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#301428: smail: Remote and local vulnerabilities can be exploited to obtain root access
Date: Mon, 28 Mar 2005 00:13:43 +0200
[Message part 1 (text/plain, inline)]
El vie, 25-03-2005 a las 21:54 +0100, Moritz Muehlenhoff escribió:
> Package: smail
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> [Dear security-team, this should affect Woody as well]
> 
> Sean <infamous41md@hotpop.com has discovered two vulnerabilities in smail,
> that can be exploited to obtain root privileges:
> 
> 1. A heap overflow in RFC 821 header parsing permits remote attackers that
> are able to connect to an SMTP server remote code execution with root
> privileges.
> 2. Insecure signal handling may be exploitable to obtain extended privileges
> for local users as well.
> 
> For full details see
> http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0
> 
> It contains a fix for the heap overflow, which I attach to this report.

Thanks for reporting the bug.
I'll upload a new version which contains your patch as soon as possible.
I put on CC the security team because the version in stable seems to be
affected too.

Kind regards,

Héctor
[signature.asc (application/pgp-signature, inline)]

Reply sent to Hector Garcia <hector@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 301428-close@bugs.debian.org (full text, mbox):

From: Hector Garcia <hector@debian.org>
To: 301428-close@bugs.debian.org
Subject: Bug#301428: fixed in smail 3.2.0.115-7
Date: Sun, 27 Mar 2005 17:32:07 -0500
Source: smail
Source-Version: 3.2.0.115-7

We believe that the bug you reported is fixed in the latest version of
smail, which is due to be installed in the Debian FTP archive:

smail_3.2.0.115-7.diff.gz
  to pool/main/s/smail/smail_3.2.0.115-7.diff.gz
smail_3.2.0.115-7.dsc
  to pool/main/s/smail/smail_3.2.0.115-7.dsc
smail_3.2.0.115-7_i386.deb
  to pool/main/s/smail/smail_3.2.0.115-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 301428@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hector Garcia <hector@debian.org> (supplier of updated smail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  27 Mar 2005 23:21:43 +0100
Source: smail
Binary: smail
Architecture: source i386
Version: 3.2.0.115-7
Distribution: unstable
Urgency: high
Maintainer: Hector Garcia <hector@debian.org>
Changed-By: Hector Garcia <hector@debian.org>
Description: 
 smail      - Electronic mail transport system
Closes: 301428
Changes: 
 smail (3.2.0.115-7) unstable; urgency=high
 .
   * Added patch to fix security vulnerability. (Closes: #301428)
Files: 
 ef7e0d76a273ef29d0f544f199b116b1 609 mail extra smail_3.2.0.115-7.dsc
 42502d1ba80ecf365c0076302101b921 159694 mail extra smail_3.2.0.115-7.diff.gz
 9a016678846d4a3611aafa2314ca2826 663896 mail extra smail_3.2.0.115-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCRy4JMwsDi2xjdG0RApxKAJ0XilwvsW1qLGISkBc0017IIxYlsACg4eUz
3RaYXvLoelgJU27rSs7u1wM=
=E42E
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #20 received at 301428@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Héctor García Álvarez <hector@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 301428@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#301428: smail: Remote and local vulnerabilities can be exploited to obtain root access
Date: Mon, 28 Mar 2005 08:33:30 +0200
Héctor García Álvarez wrote:
> El vie, 25-03-2005 a las 21:54 +0100, Moritz Muehlenhoff escribió:
> > Package: smail
> > Severity: grave
> > Tags: security patch
> > Justification: user security hole
> > 
> > [Dear security-team, this should affect Woody as well]
> > 
> > Sean <infamous41md@hotpop.com has discovered two vulnerabilities in smail,
> > that can be exploited to obtain root privileges:
> > 
> > 1. A heap overflow in RFC 821 header parsing permits remote attackers that
> > are able to connect to an SMTP server remote code execution with root
> > privileges.
> > 2. Insecure signal handling may be exploitable to obtain extended privileges
> > for local users as well.
> > 
> > For full details see
> > http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0
> > 
> > It contains a fix for the heap overflow, which I attach to this report.

You did notice that the author claims the problems not to be exploitable,
right?  Should be fixed anyway, but without further investigation it may
not require a CVE id or a DSA.

Regards,

	Joey

-- 
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Héctor García Álvarez <hector@debian.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #25 received at 301428@bugs.debian.org (full text, mbox):

From: Héctor García Álvarez <hector@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 301428@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#301428: smail: Remote and local vulnerabilities can be exploited to obtain root access
Date: Mon, 28 Mar 2005 20:01:31 +0200
[Message part 1 (text/plain, inline)]
> You did notice that the author claims the problems not to be exploitable,
> right?

Yes, right before the original submitter claims that is it indeed
exploitable.

>   Should be fixed anyway, but without further investigation it may
> not require a CVE id or a DSA.
> 
My understanding of the exploitable method is not enought to decide who
is right, so I updated a new version to unstable which fix the problem
and I leave to you, to decide if an update would be needed for stable or
not.
I can prepare such package if you want.

Regards,

Hector
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #30 received at 301428@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>
To: 301428@bugs.debian.org
Cc: team@security.debian.org
Subject: Exploit posted to Bugtraq
Date: Tue, 29 Mar 2005 11:21:30 +0200
[Message part 1 (text/plain, inline)]
Hola,
a POC exploit has been posted to Bugtraq. I don't have a smail setup to
test this against, though. It's attached for your convenience.

Cheers,
        Moritz
-- 
http://unpythonic.net/~jepler/cgi-bin/rottenflesh.cgi
[smail-heap-overflow-remote-exploit-poc.c.gz (application/x-gzip, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #35 received at 301428@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: control@bugs.debian.org
Cc: 301428@bugs.debian.org
Subject: reopen 301428
Date: Tue, 29 Mar 2005 17:18:09 -1000
[Message part 1 (text/plain, inline)]
reopen 301428
thanks

I'm reopening this bug report because it consisted of two problems. The patch
provided fixed the heap overflow, which has now been assigned CVE id
CAN-2005-0892. 

However, that leaves smail still vulnerale to CAN-2005-0893, described as
"modes.c in smail 3.2.0.120 implements signal handlers with certain unsafe
library calls, which may allow attackers to execute arbitrary code via signal
handler race conditions, possibly using xmalloc."

Some details here:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111177045217717&w=2 
No patch known at present. There also seems to be some confusion on bugtraq
over whether we have a real security hole at all.

        NOTE: The (upstream) smail maintainer claims both vulnerabilities to be not
        NOTE: exploitable. The bugreporter has presented valid claims, though,
        NOTE: but the smail maintainer blocks the reporter's mail domain on
        NOTE: SMTP level, so there's some kind of communication problem :-)
        NOTE: The patch applied by the maintainer addresses the heap overflow,
        NOTE: but doesn't touch the sighandler issues. This deserves a second
        NOTE: deeper analysis.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Andrew Buckeridge <andrewb@bgc.com.au>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #42 received at 301428@bugs.debian.org (full text, mbox):

From: Andrew Buckeridge <andrewb@bgc.com.au>
To: 301428@bugs.debian.org
Subject: one line fix upstream and my setuid root fix
Date: Wed, 4 May 2005 17:01:23 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

package: smail
version: 3.2.0.114-4

Greg has posted a one line fix in
http://www.weird.com/~woods/projects/smail.html

on line 223 of src/addr.c
p[(ap - address)] = '\0';

He was not informed prior to announcement as his Smail does not accept
spoofed email.  A security feature. :)

Be nice if the one line patch is in soon.

A longer issue is having Smail run as root.  I have done an ugly fix to
stop in.smtpd running as root.  It sort of works, but I will need to
test this a bit more.

I have removed setuid from the smail binary and changed files to mail
with : -
chown -R mail /var/log/smail /var/spool/smail

In crontab -u root I have : -
#(min h)        (dm m dw)       (command)
*/15 *  * * *   /usr/sbin/runq -q

In /etc/inetd.conf I have : -
smtp   stream  tcp     nowait  mail    /usr/sbin/smail in.smtpd -bs -Q

This also avoids the DoS from the overflow, but not ideal.

Created /usr/local/bin/sendmail with : -
#! /bin/sh
# Last minute 53cur!ty b4 w3r3 0wn3d
# hide real sendmail and remove setuid root
# With visudo add the following: -
# ALL ALL = NOPASSWD: /usr/sbin/smail
exec /usr/bin/sudo /usr/sbin/smail "$@"

Which I have used to replace the sendmail command : -
# ls -l /usr/sbin/sendmail /usr/lib/sendmail 
lrwxrwxrwx    1 root     root           21 May  4 09:46
/usr/lib/sendmail -> ../local/bin/sendmail
lrwxrwxrwx    1 root     root           21 May  4 09:55
/usr/sbin/sendmail -> ../local/bin/sendmail

I have changed the cron that came with the pacakge.  It now runs monthly
and I run checkerr as root.  I must still do this with above.  Log files
now have owner set to mail.
/etc/cron.monthly/smail now reads : -
#!/bin/sh
# Run the Smail error checking script and rotate the logfiles.
# We have to rotate the logs as root as otherwise we can't fix the
# timestamps, and so we might as well add the checkerr script here
# too.
test -f /usr/sbin/smail || exit 0
cd /tmp

#echo "Cron job - running checkerr as mail" | logger
#su -c /usr/lib/smail/checkerr mail
# smail: [6841] setgroups() failed: Operation not permitted

# Never works as mail - AB
echo "Cron job - running checkerr as ROOT" | logger
/usr/lib/smail/checkerr
# May actually work now in.smtpd runs as mail and su syntax correct
# No still have to run as root

set -e
cd /var/log/smail
savelog -u mail -g mail -m 644 -c 30 logfile >/dev/null
# Took our paniclog as Smail sometimes dies and I would like to know why
# - AB
- -- 
		\|/ ____ \|/
		"@'/ .. \`@"
		/_| \__/ |_\
		   \__U_/
6279EACE 2004-04-23 Andrew Buckeridge <andrewb@bgc.com.au>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCeI9jm2fZcWJ56s4RAjBSAJ9bwDllxA9z4eA9BclqtWhop819ugCeN0X9
V+eYfKBVrHwiKFjqsev5ahU=
=SZCm
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Héctor García Álvarez <hector@debian.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #47 received at 301428@bugs.debian.org (full text, mbox):

From: Héctor García Álvarez <hector@debian.org>
To: 301428@bugs.debian.org, Andrew Buckeridge <andrewb@bgc.com.au>
Subject: Re: Bug#301428: one line fix upstream and my setuid root fix
Date: Wed, 04 May 2005 23:41:15 +0200
If you read the bug report the patch you send it is already applied, but
unfortunally there is another bug reported (I should split the bug and
close the first one, I guess) which can lead to a root exploit.

About your changes to make it run as non-root, I'll test then this week
and in case everything works, I'll update this weekend.

Thanks a lot,

Héctor



Information forwarded to debian-bugs-dist@lists.debian.org, Hector Garcia <hector@debian.org>:
Bug#301428; Package smail. Full text and rfc822 format available.

Acknowledgement sent to Rob Weir <rweir@ertius.org>:
Extra info received and forwarded to list. Copy sent to Hector Garcia <hector@debian.org>. Full text and rfc822 format available.

Message #52 received at 301428@bugs.debian.org (full text, mbox):

From: Rob Weir <rweir@ertius.org>
To: Héctor García Álvarez <hector@debian.org>
Cc: 280337@bugs.debian.org, 301428@bugs.debian.org
Subject: Re: Bug#301428: one line fix upstream and my setuid root fix
Date: Wed, 19 Oct 2005 21:57:44 +1000
[Message part 1 (text/plain, inline)]
On Wed, May 04, 2005 at 11:41:15PM +0200, Héctor García Álvarez said
> If you read the bug report the patch you send it is already applied, but
> unfortunally there is another bug reported (I should split the bug and
> close the first one, I guess) which can lead to a root exploit.
> 
> About your changes to make it run as non-root, I'll test then this week
> and in case everything works, I'll update this weekend.

Hi Héctor,

will you be able to upload in the near future to fix #301428 and
#280337?  If not, would you mind if someone NMU'd smail to at least fix
#280337?  It's a small and simple patch, and lets smail at least build
on sid again :)

-rob
-- 
That's all I wanted to do - rollerskate.
[signature.asc (application/pgp-signature, inline)]

Bug 301428 cloned as bug 335042. Request was from Héctor García <hector@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Héctor García <hector@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Héctor García <hector@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #61 received at 301428-done@bugs.debian.org (full text, mbox):

From: Héctor García <hector@debian.org>
To: 301428-done@bugs.debian.org
Cc: control@bugs.debian.org
Date: Fri, 21 Oct 2005 18:10:56 +0200
[Message part 1 (text/plain, inline)]
clone 301428 -1
retitle 301428 smail: security: heap overflow.
retitle -1 insecure signal handling
severity -1 important
tags -1 + help
thanks

Version: 3.2.0.115-7

The first part is been closed for a long time.
The second part, hence the clone, is reported to be a security bug, but
upstream says it is not.
There is no exploit to the second bug and I'm not really capable of
deciding who is rigth (is a security bug?), so I'm trusting upstream on
this but.
Anyway I'm asking for help in case someone can give me a more cluefull
opinion on this 'security' bug.

Regards,

Héctor
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 21:13:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 20:26:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.