Date: Mon, 23 Jan 2012 14:53:04 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Agostino Sarubbo <ago@...too.org> Subject: Re: CVE request: spamdyke buffer overflow vulnerability On 01/20/2012 06:35 PM, Kurt Seifried wrote: > On 01/20/2012 01:42 AM, Agostino Sarubbo wrote: >> According to secunia advisory: >> https://secunia.com/advisories/47548/ : >> Description: >> >> Some vulnerabilities have been reported in spamdyke, which potentially can be >> exploited by malicious people to compromise a vulnerable system. >> >> The vulnerabilities are caused due to boundary errors related to the incorrect >> use of the "snprintf()" and "vsnprintf()" functions, which can be exploited to >> cause buffer overflows. >> >> The vulnerabilities are reported in versions prior to 4.3.0. >> >> >> Solution >> Update to version 4.3.0. >> >> >> and from upstream changelog: >> http://www.spamdyke.org/documentation/Changelog.txt : >> >> Fixed a number of very serious errors in the usage ofc. >> The return value was being used as the length of the string printed into >> the buffer, but the return value really indicates the length of the string >> that *could* be printed if the buffer were of infinite size. Because the >> returned value could be larger than the buffer's size, this meant remotely >> exploitable buffer overflows were possible, depending on spamdyke's >> configuration. >> >> and from upstream mailing list: >> http://firstname.lastname@example.org/msg00014.html >> >> it also fixes a series of major bugs >> that could lead to buffer overflows. Depending on spamdyke's configuration, >> these could cause remotely exploitable security holes. Please upgrade >> immediately! >> >> Please assign a CVE >> > Can you include some links to actual code commits? I want to prevent > duplicates and more information would aid in that. > Ugh so I downloaded (www.spamdyke.org/download.html) and diff'ed spamdyke 4.2.1 and 4.3.0 and checked for snprint/vsnprintf occurances being replaced, there's about 80 (all virtually identical fixes). I also checked 4.3.0 to 4.3.1, no more of those fixes, so it's safe to say this fix at least is largely confined to the 4.3.0 update. Please use CVE-2012-0802 for this issue. -- -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ