Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Jan 2012 14:53:04 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Agostino Sarubbo <ago@...too.org>
Subject: Re: CVE request: spamdyke buffer overflow vulnerability

On 01/20/2012 06:35 PM, Kurt Seifried wrote:
> On 01/20/2012 01:42 AM, Agostino Sarubbo wrote:
>> According to secunia advisory:
>> https://secunia.com/advisories/47548/ :
>> Description:
>>
>> Some vulnerabilities have been reported in spamdyke, which potentially can be 
>> exploited by malicious people to compromise a vulnerable system.
>>
>> The vulnerabilities are caused due to boundary errors related to the incorrect 
>> use of the "snprintf()" and "vsnprintf()" functions, which can be exploited to 
>> cause buffer overflows.
>>
>> The vulnerabilities are reported in versions prior to 4.3.0.
>>
>>
>> Solution
>> Update to version 4.3.0.
>>
>>
>> and from upstream changelog:
>> http://www.spamdyke.org/documentation/Changelog.txt :
>>
>> Fixed a number of very serious errors in the usage ofc.
>>     The return value was being used as the length of the string printed into
>>     the buffer, but the return value really indicates the length of the string
>>     that *could* be printed if the buffer were of infinite size. Because the
>>     returned value could be larger than the buffer's size, this meant remotely
>>     exploitable buffer overflows were possible, depending on spamdyke's
>>     configuration.
>>
>> and from upstream mailing list:
>> http://www.mail-archive.com/spamdyke-release@...mdyke.org/msg00014.html
>>
>> it also fixes a series of major bugs 
>> that could lead to buffer overflows.  Depending on spamdyke's configuration, 
>> these could cause remotely exploitable security holes.  Please upgrade 
>> immediately!
>>
>> Please assign a CVE
>>
> Can you include some links to actual code commits? I want to prevent
> duplicates and more information would aid in that.
> 

Ugh so I downloaded (www.spamdyke.org/download.html) and diff'ed
spamdyke 4.2.1 and 4.3.0 and checked for snprint/vsnprintf occurances
being replaced, there's about 80 (all virtually identical fixes). I also
checked 4.3.0 to 4.3.1, no more of those fixes, so it's safe to say this
fix at least is largely confined to the 4.3.0 update.

Please use CVE-2012-0802 for this issue.



-- 

--

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ