Date: Fri, 2 Oct 2015 16:16:14 +0200 From: Gilles Chehade <gilles@...lp.org> To: "Jason A. Donenfeld" <Jason@...c4.com> Cc: oss-security <oss-security@...ts.openwall.com>, misc <misc@...nsmtpd.org> Subject: Re: CVE requests: Critical vulnerabilities in OpenSMTPD On Fri, Oct 02, 2015 at 03:22:01PM +0200, Jason A. Donenfeld wrote: > Hello, > Hello, > See this excerpt from the release notes below. Quite a few bugs. Looks > like at least one of them might invalidate the openbsd.org claim, > "Only two remote holes in the default install, in a heck of a long > time!". > Not really, no. By default, the MTA operates in local-mode only accepting connections on the loopback interface and through the unix socket. This is also true on OpenSMTPD -portable. Not to mention that remote vulnerabilities only affect a process that is unprivileged and that the local vulnerabilities, as far as I know, don't allow for privileges escalation, only leaking of a hash (yes, it is bad, but you don't suddenly compromise the machine either). > CCing the OpenSMTPD mailing list (low-volume; don't worry Solar!) in > case they want to chime in too. > I'll chime in. As we made clear in the commits and release note these issues were found by Qualys Security during an audit, for which they're going to publish a detailed advisory (very good read) with CVE associated to each issue. > ---------- Forwarded message ---------- > From: Gilles Chehade <gilles@...lp.org> > Date: Fri, Oct 2, 2015 at 4:01 AM > Subject: Announce: OpenSMTPD 5.7.2 released > To: misc@...nsmtpd.org > > [...snip...] > > > Issues fixed in this release (5.7.2, since 5.7.1): > =========================================== > > - an oversight in the portable version of fgetln() that allows attackers > to read and write out-of-bounds memory; > > - multiple denial-of-service vulnerabilities that allow local users to > kill or hang OpenSMTPD; > > - a stack-based buffer overflow that allows local users to crash > OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; > > - a hardlink attack (or race-conditioned symlink attack) that allows > local users to unset the chflags() of arbitrary files; > > - a hardlink attack that allows local users to read the first line of > arbitrary files (for example, root's hash from /etc/master.passwd); > > - a denial-of-service vulnerability that allows remote attackers to fill > OpenSMTPD's queue or mailbox hard-disk partition; > > - an out-of-bounds memory read that allows remote attackers to crash > OpenSMTPD, or leak information and defeat the ASLR protection; > > - a use-after-free vulnerability that allows remote attackers to crash > OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; > > -- > You received this mail because you are subscribed to misc@...nsmtpd.org > To unsubscribe, send a mail to: misc+unsubscribe@...nsmtpd.org > -- Gilles Chehade https://www.poolp.org @poolpOrg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ