Debian Bug report logs - #320290
[CAN-2005-2151]: Potential DoS when handling DNS failures while looking up SPF records

version graph

Package: courier-mta; Maintainer for courier-mta is Stefan Hornburg (Racke) <racke@linuxia.de>; Source for courier-mta is src:courier.

Reported by: Micah Anderson <micah@riseup.net>

Date: Thu, 28 Jul 2005 06:48:28 UTC

Severity: important

Tags: etch, experimental, fixed, patch, sarge, security

Fixed in version courier/0.47-6

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#320290; Package courier-mta. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@riseup.net>:
New Bug report received and forwarded. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2005-2151]: Potential DoS when handling DNS failures while looking up SPF records
Date: Thu, 28 Jul 2005 00:47:01 -0500
Package: courier-mta
Severity: important
Tags: security

Please include this CAN number in any changelog dealing with this
matter.

A vulnerability has been reported in Courier Mail Server, which
potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

The vulnerability is caused due to an error in "rfc1035/spf.c" when
handling DNS lookup failures while looking up SPF records. This causes
freeing of non-allocated memory and can potentially be exploited to
crash the service.

The vulnerability has been reported in version 0.50.0. Prior versions
may also be affected.

According to http://www.courier-mta.org/?changelog.html this is fixed
in 0.51:

2005-07-02  Mr. Sam  <mrsam@courier-mta.com>

	* rfc1035/spf.c: Soft DNS failures weren't handled properly when
    looking up SPF records.  Potential memory corruption.
			  
Micah			  

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)



Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#320290; Package courier-mta. Full text and rfc822 format available.

Acknowledgement sent to Willi Mann <willi@wm1.at>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #10 received at 320290@bugs.debian.org (full text, mbox):

From: Willi Mann <willi@wm1.at>
To: Micah Anderson <micah@riseup.net>, 320290@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#320290: [CAN-2005-2151]: Potential DoS when handling DNS failures while looking up SPF records
Date: Thu, 28 Jul 2005 09:47:46 +0200
tag 320290 + patch
thanks

Micah Anderson schrieb:
> Package: courier-mta
> Severity: important
> Tags: security
> 
> Please include this CAN number in any changelog dealing with this
> matter.
>
> 2005-07-02  Mr. Sam  <mrsam@courier-mta.com>
> 
> 	* rfc1035/spf.c: Soft DNS failures weren't handled properly when
>     looking up SPF records.  Potential memory corruption.

And the patch is here:
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/mail-mta/courier/files/courier-0.48.1-spf-error-handling.patch?rev=1.1

Just in case someone needs fixed packages NOW: Fixed packages for i386 are 
availble from

http://wserver.wm1.at/~willi/debian_packages/courier/stable-security/main/binary-i386/mail/

Sorry for the stupid long URL, I've been playing with apt-move and 
debarchiver and that's the result.

Willi



Tags added: patch Request was from Willi Mann <willi@wm1.at> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#320290; Package courier-mta. Full text and rfc822 format available.

Acknowledgement sent to Stefan Hornburg <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #17 received at 320290@bugs.debian.org (full text, mbox):

From: Stefan Hornburg <racke@linuxia.de>
To: Willi Mann <willi@wm1.at>, 320290@bugs.debian.org
Cc: racke@linuxia.de
Subject: Re: Bug#320290: [CAN-2005-2151]: Potential DoS when handling DNS failures while looking up SPF records
Date: Thu, 28 Jul 2005 11:20:09 +0200
On Thu, 28 Jul 2005 09:47:46 +0200
Willi Mann <willi@wm1.at> wrote:

> tag 320290 + patch
> thanks

Thanks for the patch. I'm building packages for unstable right now.

Bye
	Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




Reply sent to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micah Anderson <micah@riseup.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 320290-close@bugs.debian.org (full text, mbox):

From: Stefan Hornburg (Racke) <racke@linuxia.de>
To: 320290-close@bugs.debian.org
Subject: Bug#320290: fixed in courier 0.47-6
Date: Thu, 28 Jul 2005 03:02:13 -0700
Source: courier
Source-Version: 0.47-6

We believe that the bug you reported is fixed in the latest version of
courier, which is due to be installed in the Debian FTP archive:

courier-authdaemon_0.47-6_i386.deb
  to pool/main/c/courier/courier-authdaemon_0.47-6_i386.deb
courier-authmysql_0.47-6_i386.deb
  to pool/main/c/courier/courier-authmysql_0.47-6_i386.deb
courier-authpostgresql_0.47-6_i386.deb
  to pool/main/c/courier/courier-authpostgresql_0.47-6_i386.deb
courier-base_0.47-6_i386.deb
  to pool/main/c/courier/courier-base_0.47-6_i386.deb
courier-doc_0.47-6_all.deb
  to pool/main/c/courier/courier-doc_0.47-6_all.deb
courier-faxmail_0.47-6_i386.deb
  to pool/main/c/courier/courier-faxmail_0.47-6_i386.deb
courier-imap-ssl_3.0.8-6_i386.deb
  to pool/main/c/courier/courier-imap-ssl_3.0.8-6_i386.deb
courier-imap_3.0.8-6_i386.deb
  to pool/main/c/courier/courier-imap_3.0.8-6_i386.deb
courier-ldap_0.47-6_i386.deb
  to pool/main/c/courier/courier-ldap_0.47-6_i386.deb
courier-maildrop_0.47-6_i386.deb
  to pool/main/c/courier/courier-maildrop_0.47-6_i386.deb
courier-mlm_0.47-6_i386.deb
  to pool/main/c/courier/courier-mlm_0.47-6_i386.deb
courier-mta-ssl_0.47-6_i386.deb
  to pool/main/c/courier/courier-mta-ssl_0.47-6_i386.deb
courier-mta_0.47-6_i386.deb
  to pool/main/c/courier/courier-mta_0.47-6_i386.deb
courier-pcp_0.47-6_i386.deb
  to pool/main/c/courier/courier-pcp_0.47-6_i386.deb
courier-pop-ssl_0.47-6_i386.deb
  to pool/main/c/courier/courier-pop-ssl_0.47-6_i386.deb
courier-pop_0.47-6_i386.deb
  to pool/main/c/courier/courier-pop_0.47-6_i386.deb
courier-ssl_0.47-6_i386.deb
  to pool/main/c/courier/courier-ssl_0.47-6_i386.deb
courier-webadmin_0.47-6_i386.deb
  to pool/main/c/courier/courier-webadmin_0.47-6_i386.deb
courier_0.47-6.diff.gz
  to pool/main/c/courier/courier_0.47-6.diff.gz
courier_0.47-6.dsc
  to pool/main/c/courier/courier_0.47-6.dsc
sqwebmail_0.47-6_i386.deb
  to pool/main/c/courier/sqwebmail_0.47-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated courier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 28 Jul 2005 11:19:30 +0200
Source: courier
Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl
Architecture: source i386 all
Version: 0.47-6
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Description: 
 courier-authdaemon - Courier Mail Server - Authentication daemon
 courier-authmysql - Courier Mail Server - MySQL authentication
 courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication
 courier-base - Courier Mail Server - Base system
 courier-doc - Courier Mail Server - Additional documentation
 courier-faxmail - Courier Mail Server - Faxmail gateway
 courier-imap - Courier Mail Server - IMAP server
 courier-imap-ssl - Courier Mail Server - IMAP over SSL
 courier-ldap - Courier Mail Server - LDAP support
 courier-maildrop - Courier Mail Server - Mail delivery agent
 courier-mlm - Courier Mail Server - Mailing list manager
 courier-mta - Courier Mail Server - ESMTP daemon
 courier-mta-ssl - Courier Mail Server - ESMTP over SSL
 courier-pcp - Courier Mail Server - PCP server
 courier-pop - Courier Mail Server - POP3 server
 courier-pop-ssl - Courier Mail Server - POP3 over SSL
 courier-ssl - Courier Mail Server - SSL/TLS Support
 courier-webadmin - Courier Mail Server - Web-based administration frontend
 sqwebmail  - Courier Mail Server - Webmail server
Closes: 320290
Changes: 
 courier (0.47-6) unstable; urgency=high
 .
   * added patch to avoid potential DoS when handling DNS failures while
     looking up SPF records [CAN-2005-2151] (Closes: #320290, thanks to
     Micah Anderson <micah@riseup.net> for the report and Willi Mann
     <willi@wm1.at> for the patch)
Files: 
 455adc9ae1bf328576d87e6dedd72808 1204 mail optional courier_0.47-6.dsc
 aecc929e3e55260953f550837f41f4c8 95144 mail optional courier_0.47-6.diff.gz
 75fc7092dd6bec74c9fed77c7df7f649 370366 doc optional courier-doc_0.47-6_all.deb
 42a7f08cb7abcebabc0bab9dfdb75af7 232808 mail optional courier-base_0.47-6_i386.deb
 04b513f15077e41510a409b556100b2c 931210 mail optional courier-maildrop_0.47-6_i386.deb
 af4d3c743a06a38f2d5299df64cafb26 109148 mail optional courier-mlm_0.47-6_i386.deb
 21c555a873966fcaa53c32339a58c551 2077270 mail extra courier-mta_0.47-6_i386.deb
 fe1de53160bd6c803840b9ca0b575458 28708 mail optional courier-faxmail_0.47-6_i386.deb
 31ea266ed2d75310e41587d5da05d143 34560 mail optional courier-webadmin_0.47-6_i386.deb
 bcfbd5d5b8bceb8de574df19899e5cc2 778684 mail optional sqwebmail_0.47-6_i386.deb
 2c2287bfb430bd93438867926426d2f5 60510 mail optional courier-pcp_0.47-6_i386.deb
 471b18bf4684b49c20527c4b28c56d91 417084 mail extra courier-pop_0.47-6_i386.deb
 45731124ad7b54a365bd14ecc9a04ca5 66416 mail optional courier-ldap_0.47-6_i386.deb
 361aecdf4581b0d7c624f8a86eaaf505 55394 mail optional courier-authdaemon_0.47-6_i386.deb
 58b96794fd7b3348e0c69109e2d7a7ec 51624 mail optional courier-authmysql_0.47-6_i386.deb
 cf03fcd422bf000f0ea574175f9a102c 191712 mail optional courier-ssl_0.47-6_i386.deb
 65cbb46cbd0767cd76fb5ddb2940cb16 19138 mail extra courier-mta-ssl_0.47-6_i386.deb
 a77b22ca9a94e17494427fb7c6ab1516 20796 mail optional courier-pop-ssl_0.47-6_i386.deb
 b6334a5b379d9565c287a061a983e3a4 51738 mail optional courier-authpostgresql_0.47-6_i386.deb
 9a7eb3ce8ec0bd1f70a56d2671803e65 938552 mail extra courier-imap_3.0.8-6_i386.deb
 13fc50e25c772be70da8031598edaadf 20982 mail extra courier-imap-ssl_3.0.8-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC6Kh/jgVfE5tya3ERAqDxAKCv9yewdnAbw8v1umqU9nYRO5avygCdFwNT
AryH78fmE3wLS153AD2MWjQ=
=1fTG
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Stefan Hornburg <racke@linuxia.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Stefan Hornburg <racke@linuxia.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: etch Request was from Stefan Hornburg <racke@linuxia.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: experimental Request was from Stefan Hornburg <racke@linuxia.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Stefan Hornburg (Racke) <racke@linuxia.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.47-6, send any further explanations to Micah Anderson <micah@riseup.net> Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 30 May 2007 20:21:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 20:40:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:32:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.