Debian Bug report logs - #573228
Arbitrary command execution (report from full-disclosure)

version graph

Package: spamass-milter; Maintainer for spamass-milter is Don Armstrong <don@debian.org>; Source for spamass-milter is src:spamass-milter.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 9 Mar 2010 21:54:02 UTC

Severity: grave

Tags: security

Fixed in versions spamass-milter/0.3.1-9, spamass-milter/0.3.1-8+lenny1

Done: Don Armstrong <don@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://savannah.nongnu.org/bugs/index.php?29136

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Don Armstrong <don@debian.org>:
Bug#573228; Package spamass-milter. (Tue, 09 Mar 2010 21:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Don Armstrong <don@debian.org>. (Tue, 09 Mar 2010 21:54:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Arbitrary command execution (report from full-disclosure)
Date: Tue, 09 Mar 2010 22:50:56 +0100
Package: spamass-milter
Severity: grave
Tags: security

Hi Don,
The following report was posted to full-disclosure:
http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages spamass-milter depends on:
ii  adduser                       3.112      add and remove users and groups
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.4.3-3  GCC support library
pn  libmilter1.0.1                <none>     (no description available)
ii  libstdc++6                    4.4.3-3    The GNU Standard C++ Library v3
pn  spamc                         <none>     (no description available)

Versions of packages spamass-milter recommends:
pn  sendmail | postfix            <none>     (no description available)
ii  spamassassin                  3.3.0-2    Perl-based spam filter using text 

spamass-milter suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Don Armstrong <don@debian.org>:
Bug#573228; Package spamass-milter. (Tue, 09 Mar 2010 22:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Don Armstrong <don@debian.org>. (Tue, 09 Mar 2010 22:15:07 GMT) Full text and rfc822 format available.

Message #10 received at 573228@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@donarmstrong.com>
To: Moritz Muehlenhoff <jmm@debian.org>, 573228@bugs.debian.org
Subject: Re: Bug#573228: Arbitrary command execution (report from full-disclosure)
Date: Tue, 9 Mar 2010 14:13:27 -0800
On Tue, 09 Mar 2010, Moritz Muehlenhoff wrote:
> The following report was posted to full-disclosure:
> http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html

Thanks for the report; this is mitigated a bit on Debian, as the
default configuration doesn't use -x, nor does it run as root, but we
should definetly get a fix for it out.

I'll see what I can whip up in the next few days if the upstream
maintainers don't respond.


Don Armstrong

-- 
For a moment, nothing happened. Then, after a second or so, nothing
continued to happen.
 -- Douglas Adams

http://www.donarmstrong.com              http://rzlab.ucr.edu




Set Bug forwarded-to-address to 'http://savannah.nongnu.org/bugs/index.php?29136'. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Wed, 10 Mar 2010 22:03:05 GMT) Full text and rfc822 format available.

Reply sent to Don Armstrong <don@debian.org>:
You have taken responsibility. (Thu, 18 Mar 2010 06:33:19 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 18 Mar 2010 06:33:19 GMT) Full text and rfc822 format available.

Message #17 received at 573228-close@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 573228-close@bugs.debian.org
Subject: Bug#573228: fixed in spamass-milter 0.3.1-9
Date: Thu, 18 Mar 2010 06:32:09 +0000
Source: spamass-milter
Source-Version: 0.3.1-9

We believe that the bug you reported is fixed in the latest version of
spamass-milter, which is due to be installed in the Debian FTP archive:

spamass-milter_0.3.1-9.diff.gz
  to main/s/spamass-milter/spamass-milter_0.3.1-9.diff.gz
spamass-milter_0.3.1-9.dsc
  to main/s/spamass-milter/spamass-milter_0.3.1-9.dsc
spamass-milter_0.3.1-9_amd64.deb
  to main/s/spamass-milter/spamass-milter_0.3.1-9_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 573228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Don Armstrong <don@debian.org> (supplier of updated spamass-milter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 11 Mar 2009 03:59:39 -0700
Source: spamass-milter
Binary: spamass-milter
Architecture: source amd64
Version: 0.3.1-9
Distribution: unstable
Urgency: high
Maintainer: Don Armstrong <don@debian.org>
Changed-By: Don Armstrong <don@debian.org>
Description: 
 spamass-milter - milter for filtering mail through spamassassin
Closes: 514749 515158 518552 519245 573228
Changes: 
 spamass-milter (0.3.1-9) unstable; urgency=high
 .
   * Call restorecon on the socket and pidfile directories to make SELinux
     happy (thanks to Russel Coker) (closes: #518552)
   * Document how to make inet:9999@127.0.0.1 work (closes: #519245)
   * Document that using the -x option requires being in the smmsp group
     (closes: #515158)
   * Deal with inet:999 sockets (closes: #514749)
     - handle them more sanely in the init script
     - document how to deal with them in README.Debian and
       /etc/spamass-milter/default
   * Use new popenenv function instead of open; fixes remote code exploit
     as the spamass-milter user when run using -x. (closes: #573228)
Checksums-Sha1: 
 ac4e9767bfb8cebfbcce80faf36bc1e85170774b 1022 spamass-milter_0.3.1-9.dsc
 36e29741bbe96cb6939c0d8ef38b23a97b7d12cb 35717 spamass-milter_0.3.1-9.diff.gz
 883621a265ea847260e6ebea2ee711e15ded42ec 52996 spamass-milter_0.3.1-9_amd64.deb
Checksums-Sha256: 
 fd204ada00d8a96cc5124749b323a528e20a13698c330405cb60b0e32666149a 1022 spamass-milter_0.3.1-9.dsc
 16d8554a4bdc3b758c718e416ac8d0b2d1b24c4769944a1f2b29164ee7e01078 35717 spamass-milter_0.3.1-9.diff.gz
 39961044e3e309e05ca6e319bdc20c5b79d1f6ea66138eff1cc373bf5d5bb2fa 52996 spamass-milter_0.3.1-9_amd64.deb
Files: 
 02a3c8e7e5b7088c5c7ec153135c6ca4 1022 mail extra spamass-milter_0.3.1-9.dsc
 1ea0540cd53e48efa5c8f74171aa0ada 35717 mail extra spamass-milter_0.3.1-9.diff.gz
 8b32fa5cf54e61a1f74898f2b396a089 52996 mail extra spamass-milter_0.3.1-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLocV9gcCJIoCND9ARA1tMAJ4uUszhgnwMYi4Oa4f+Jaz8+W7YVwCfaHh6
/IoqI/kK6PdenM9SxrxEM5U=
=a9B9
-----END PGP SIGNATURE-----





Reply sent to Don Armstrong <don@debian.org>:
You have taken responsibility. (Sun, 18 Apr 2010 20:09:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 18 Apr 2010 20:09:03 GMT) Full text and rfc822 format available.

Message #22 received at 573228-close@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 573228-close@bugs.debian.org
Subject: Bug#573228: fixed in spamass-milter 0.3.1-8+lenny1
Date: Sun, 18 Apr 2010 20:05:09 +0000
Source: spamass-milter
Source-Version: 0.3.1-8+lenny1

We believe that the bug you reported is fixed in the latest version of
spamass-milter, which is due to be installed in the Debian FTP archive:

spamass-milter_0.3.1-8+lenny1.diff.gz
  to main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.diff.gz
spamass-milter_0.3.1-8+lenny1.dsc
  to main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.dsc
spamass-milter_0.3.1-8+lenny1_i386.deb
  to main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 573228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Don Armstrong <don@debian.org> (supplier of updated spamass-milter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 17 Mar 2010 12:52:56 -0700
Source: spamass-milter
Binary: spamass-milter
Architecture: source i386
Version: 0.3.1-8+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Don Armstrong <don@debian.org>
Changed-By: Don Armstrong <don@debian.org>
Description: 
 spamass-milter - milter for filtering mail through spamassassin
Closes: 573228
Changes: 
 spamass-milter (0.3.1-8+lenny1) stable-security; urgency=high
 .
   * Use new popenenv function instead of open; fixes remote code exploit
     as the spamass-milter user when run using -x. (closes: #573228)
Checksums-Sha1: 
 086adc5c7ec8cede64958c4788b0427a0081db49 1050 spamass-milter_0.3.1-8+lenny1.dsc
 dd488eb9ab1f230440fba8a729bee80550f2fbff 141144 spamass-milter_0.3.1.orig.tar.gz
 a5ca6a3a676751c676792271f1ad63558d46bdd6 35298 spamass-milter_0.3.1-8+lenny1.diff.gz
 4c98586b6d5c8853497fec5c5bf8a4ae23e19a06 50980 spamass-milter_0.3.1-8+lenny1_i386.deb
Checksums-Sha256: 
 4c69057bb519ec2a08815492671ee773c67571e5088819826853dd97e6657789 1050 spamass-milter_0.3.1-8+lenny1.dsc
 4222b21d098f292b4899a84caf56458c876c6774fd14132fbd4c31f6190b27e5 141144 spamass-milter_0.3.1.orig.tar.gz
 37e2b17719955b838adc4b2bee3c95ddb60d0f62513345ba3c47c2c8f7d0fb4d 35298 spamass-milter_0.3.1-8+lenny1.diff.gz
 afdbe5f4f97884725ec8977040c0e842adb029484388bf447bfb71fce45109b0 50980 spamass-milter_0.3.1-8+lenny1_i386.deb
Files: 
 bb733b6a573d78be8a64002dbc592d44 1050 mail extra spamass-milter_0.3.1-8+lenny1.dsc
 ca6bf6a9c88db74a6bfea41f499c0ba6 141144 mail extra spamass-milter_0.3.1.orig.tar.gz
 c67ac575ec83da156f19d90a21c400e2 35298 mail extra spamass-milter_0.3.1-8+lenny1.diff.gz
 109a06776578187d95ae70c3734e6b6d 50980 mail extra spamass-milter_0.3.1-8+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLpYafgcCJIoCND9ARA9FvAKCXzMgJWox/VrcDThEt32UnUUNgtQCfREmw
8tqhdLd0UHcRTCNCkIkDbxw=
=OjGb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:34:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:19:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.