Debian Bug report logs - #475163
sympa: CVE-2008-1648 denial of service via crafted email

version graph

Package: sympa; Maintainer for sympa is Debian Sympa team <pkg-sympa-devel@lists.alioth.debian.org>; Source for sympa is src:sympa.

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 9 Apr 2008 13:15:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions sympa/5.3.4-4, sympa/5.2.3-1.2+etch1

Done: Steve Kemp <skx@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#475163; Package sympa. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: sympa: CVE-2008-1648 denial of service via crafted email
Date: Wed, 9 Apr 2008 15:11:45 +0200
[Message part 1 (text/plain, inline)]
Package: sympa
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sympa.


CVE-2008-1648[0]:
| Sympa before 5.4 allows remote attackers to cause a denial of service
| (daemon crash) via an e-mail message with a malformed value of the
| Content-Type header and unspecified other headers.  NOTE: some of these
| details are obtained from third party information.

First apply this patch:
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/PlainDigest.pm?r1=3597&r2=4834&view=patch
and then this patch:
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/PlainDigest.pm?r1=4834&r2=4835&view=patch

to fix the problem.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1648
    http://security-tracker.debian.net/tracker/CVE-2008-1648

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#475163; Package sympa. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #10 received at 475163@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 475163@bugs.debian.org
Subject: intent to NMU
Date: Fri, 11 Apr 2008 15:58:29 +0200
[Message part 1 (text/plain, inline)]
Hi,
the attached patch fixes this issue.
It will be also archive on:
http://people.debian.org/~nion/nmu-diff/sympa-5.3.4-3_5.3.4-3.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[sympa-5.3.4-3_5.3.4-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#475163; Package sympa. Full text and rfc822 format available.

Acknowledgement sent to Stefan Hornburg <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #15 received at 475163@bugs.debian.org (full text, mbox):

From: Stefan Hornburg <racke@linuxia.de>
To: Nico Golde <nion@debian.org>, 475163@bugs.debian.org
Subject: Re: Bug#475163: intent to NMU
Date: Fri, 11 Apr 2008 16:07:27 +0200
Nico Golde wrote:
> Hi,
> the attached patch fixes this issue.
> It will be also archive on:
> http://people.debian.org/~nion/nmu-diff/sympa-5.3.4-3_5.3.4-3.1.patch

sympa_5.3.4-4_i386.changes uploaded successfully to localhost
along with the files:
 sympa_5.3.4-4.dsc
 sympa_5.3.4-4.diff.gz
 sympa_5.3.4-4_i386.deb

Greetings,

	Your Debian queue daemon

I don't know what is going wrong with that upload.

Regards
        Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team





Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#475163; Package sympa. Full text and rfc822 format available.

Acknowledgement sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #20 received at 475163@bugs.debian.org (full text, mbox):

From: "Stefan Hornburg (Racke)" <racke@linuxia.de>
To: Stefan Hornburg <racke@linuxia.de>, 475163@bugs.debian.org
Subject: Re: Bug#475163: intent to NMU
Date: Fri, 11 Apr 2008 22:56:28 +0200
Stefan Hornburg wrote:
> Nico Golde wrote:
>> Hi,
>> the attached patch fixes this issue.
>> It will be also archive on:
>> http://people.debian.org/~nion/nmu-diff/sympa-5.3.4-3_5.3.4-3.1.patch
> 
> sympa_5.3.4-4_i386.changes uploaded successfully to localhost
> along with the files:
>  sympa_5.3.4-4.dsc
>  sympa_5.3.4-4.diff.gz
>  sympa_5.3.4-4_i386.deb
> 
> Greetings,
> 
>     Your Debian queue daemon
> 
> I don't know what is going wrong with that upload.

I tried a new upload just a few minutes ago.

Regards
         Racke



-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team





Reply sent to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 475163-close@bugs.debian.org (full text, mbox):

From: Stefan Hornburg (Racke) <racke@linuxia.de>
To: 475163-close@bugs.debian.org
Subject: Bug#475163: fixed in sympa 5.3.4-4
Date: Sat, 12 Apr 2008 09:32:42 +0000
Source: sympa
Source-Version: 5.3.4-4

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:

sympa_5.3.4-4.diff.gz
  to pool/main/s/sympa/sympa_5.3.4-4.diff.gz
sympa_5.3.4-4.dsc
  to pool/main/s/sympa/sympa_5.3.4-4.dsc
sympa_5.3.4-4_i386.deb
  to pool/main/s/sympa/sympa_5.3.4-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 11 Apr 2008 22:22:31 +0200
Source: sympa
Binary: sympa
Architecture: source i386
Version: 5.3.4-4
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Description: 
 sympa      - Modern mailing list manager
Closes: 472524 472941 475163
Changes: 
 sympa (5.3.4-4) unstable; urgency=high
 .
   * fix denial of service via crafted email (Closes: #475163,
     CVE-2008-1648, thanks to Nico Golde <nion@debian.org> for the report)
   * ensure that supported_lang always contains en_US (Closes: #472941,
     thanks to Chris Davies <chris@roaima.co.uk> for the report)
   * move call to Debconf library to the top of postinst (Closes: #472524,
     thanks to Olivier Berger <olivier.berger@it-sudparis.eu> for the
     report and the patch)
   * correct invocation of clean targets
Checksums-Sha1: 
 b7474900c1601fe78d348d54a2ee0efe7ebbf5bb 976 sympa_5.3.4-4.dsc
 05c29c9137204d950a670f137b19d1af61b2787a 109093 sympa_5.3.4-4.diff.gz
 1a90d4c47147546efd5bbc392fcc0f09c5998e8b 3086098 sympa_5.3.4-4_i386.deb
Checksums-Sha256: 
 802d865b6113554471ba11873bee2dfb0a2a2a05433d32a3e21e1009fcc1326b 976 sympa_5.3.4-4.dsc
 0541ea71b6aab9dbcb25ce15b6e68202c6111f7b8be5e859d880ea52508c9804 109093 sympa_5.3.4-4.diff.gz
 918c85d48b75538611b50709dc83a0ea471f18810937449f0eb06317c9fd1ea2 3086098 sympa_5.3.4-4_i386.deb
Files: 
 12518253351045796dd381f16a2986ed 976 mail optional sympa_5.3.4-4.dsc
 8fb79e868bd2b75a2af6e73d0f20386f 109093 mail optional sympa_5.3.4-4.diff.gz
 2447b013c561944e8da94d48fb538ab9 3086098 mail optional sympa_5.3.4-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIAH8GjgVfE5tya3ERAmpZAKCae2ekvXvYkrupOWaebgSMvOSoPACg3SbT
7lzj3vPFmdqiyMks5RrTgTo=
=vMZQ
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#475163; Package sympa. Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #30 received at 475163@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: 475163@bugs.debian.org
Subject: Re: Bug#475163: intent to NMU
Date: Mon, 14 Apr 2008 14:29:55 +0200
[Message part 1 (text/plain, inline)]
Hi.

I think (almost) the same patch applies to sympa-5.2.3 too, which is in
Debian stable.

Such fix should be applied to stable too, I guess
(http://security-tracker.debian.net/tracker/CVE-2008-1648)

I have built a proposed patch to apply to stable's package sources
(attached report from "interdiff -z sympa_5.2.3-1.2.diff.gz
sympa_5.2.3-1.3.diff.gz")

I was unable to test if it works, as I have no message to exhibit the
MIME problem at stake, and I'm not sure the added returncode is valid
also on that old version (should ask upstream maybe ?).

Hope this helps anyway,

Best regards.

Le vendredi 11 avril 2008 à 15:58 +0200, Nico Golde a écrit :
> Hi,
> the attached patch fixes this issue.
> It will be also archive on:
> http://people.debian.org/~nion/nmu-diff/sympa-5.3.4-3_5.3.4-3.1.patch
> 
> Kind regards
> Nico
> 
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry

[patch_5.2.3-1.3-proposed.patch (text/x-patch, attachment)]

Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 475163-close@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 475163-close@bugs.debian.org
Subject: Bug#475163: fixed in sympa 5.2.3-1.2+etch1
Date: Wed, 23 Jul 2008 07:52:26 +0000
Source: sympa
Source-Version: 5.2.3-1.2+etch1

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:

sympa_5.2.3-1.2+etch1.diff.gz
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1.diff.gz
sympa_5.2.3-1.2+etch1.dsc
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1.dsc
sympa_5.2.3-1.2+etch1_amd64.deb
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Kemp <skx@debian.org> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 30 Jun 2008 16:17:18 +0000
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 5.2.3-1.2+etch1
Distribution: stable-security
Urgency: high
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Steve Kemp <skx@debian.org>
Description: 
 sympa      - Modern mailing list manager
Closes: 475163
Changes: 
 sympa (5.2.3-1.2+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible denial of service attack triggered
     via a malformed email header (CVE-2008-1648; Closes: #475163).
Files: 
 c7e720e56b1c4e9778cea822ed150a19 625 mail optional sympa_5.2.3-1.2+etch1.dsc
 355cb9174841205831191c93a83da895 5102528 mail optional sympa_5.2.3.orig.tar.gz
 a93d8ec3dcbc0a0aed99e513c5749c0e 96804 mail optional sympa_5.2.3-1.2+etch1.diff.gz
 531781d522ad5f02e6c5b658883ed37d 3591854 mail optional sympa_5.2.3-1.2+etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkho/OcACgkQwM/Gs81MDZ1DggCguWHsxIkq6/qH4sS2fwWoSkjK
xAcAoJ1EpG6z5ZmlVxYr5w0bvbS3/e2U
=6Xn8
-----END PGP SIGNATURE-----





Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 475163-close@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 475163-close@bugs.debian.org
Subject: Bug#475163: fixed in sympa 5.2.3-1.2+etch1
Date: Sat, 26 Jul 2008 09:58:02 +0000
Source: sympa
Source-Version: 5.2.3-1.2+etch1

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:

sympa_5.2.3-1.2+etch1.diff.gz
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1.diff.gz
sympa_5.2.3-1.2+etch1.dsc
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1.dsc
sympa_5.2.3-1.2+etch1_amd64.deb
  to pool/main/s/sympa/sympa_5.2.3-1.2+etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Kemp <skx@debian.org> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 30 Jun 2008 16:17:18 +0000
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 5.2.3-1.2+etch1
Distribution: stable-security
Urgency: high
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Steve Kemp <skx@debian.org>
Description: 
 sympa      - Modern mailing list manager
Closes: 475163
Changes: 
 sympa (5.2.3-1.2+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible denial of service attack triggered
     via a malformed email header (CVE-2008-1648; Closes: #475163).
Files: 
 c7e720e56b1c4e9778cea822ed150a19 625 mail optional sympa_5.2.3-1.2+etch1.dsc
 355cb9174841205831191c93a83da895 5102528 mail optional sympa_5.2.3.orig.tar.gz
 a93d8ec3dcbc0a0aed99e513c5749c0e 96804 mail optional sympa_5.2.3-1.2+etch1.diff.gz
 531781d522ad5f02e6c5b658883ed37d 3591854 mail optional sympa_5.2.3-1.2+etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkho/OcACgkQwM/Gs81MDZ1DggCguWHsxIkq6/qH4sS2fwWoSkjK
xAcAoJ1EpG6z5ZmlVxYr5w0bvbS3/e2U
=6Xn8
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:33:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:59:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.