Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Oct 2015 16:16:14 +0200
From: Gilles Chehade <gilles@...lp.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
	misc <misc@...nsmtpd.org>
Subject: Re: CVE requests: Critical vulnerabilities in OpenSMTPD

On Fri, Oct 02, 2015 at 03:22:01PM +0200, Jason A. Donenfeld wrote:
> Hello,
>

Hello,


> See this excerpt from the release notes below. Quite a few bugs. Looks
> like at least one of them might invalidate the openbsd.org claim,
> "Only two remote holes in the default install, in a heck of a long
> time!".
>

Not really, no.

By default, the MTA operates in local-mode only accepting connections on
the loopback interface and through the unix socket. This is also true on
OpenSMTPD -portable.

Not to mention that remote vulnerabilities only affect a process that is
unprivileged and that the local vulnerabilities, as far as I know, don't
allow for privileges escalation, only leaking of a hash (yes, it is bad,
but you don't suddenly compromise the machine either).


> CCing the OpenSMTPD mailing list (low-volume; don't worry Solar!) in
> case they want to chime in too.
> 

I'll chime in.

As we made clear in the commits and release note these issues were found
by Qualys Security during an audit, for which they're going to publish a
detailed advisory (very good read) with CVE associated to each issue.



> ---------- Forwarded message ----------
> From: Gilles Chehade <gilles@...lp.org>
> Date: Fri, Oct 2, 2015 at 4:01 AM
> Subject: Announce: OpenSMTPD 5.7.2 released
> To: misc@...nsmtpd.org
> 
> [...snip...]
> 
> 
> Issues fixed in this release (5.7.2, since 5.7.1):
> ===========================================
> 
> - an oversight in the portable version of fgetln() that allows attackers
>   to read and write out-of-bounds memory;
> 
> - multiple denial-of-service vulnerabilities that allow local users to
>   kill or hang OpenSMTPD;
> 
> - a stack-based buffer overflow that allows local users to crash
>   OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;
> 
> - a hardlink attack (or race-conditioned symlink attack) that allows
>   local users to unset the chflags() of arbitrary files;
> 
> - a hardlink attack that allows local users to read the first line of
>   arbitrary files (for example, root's hash from /etc/master.passwd);
> 
> - a denial-of-service vulnerability that allows remote attackers to fill
>   OpenSMTPD's queue or mailbox hard-disk partition;
> 
> - an out-of-bounds memory read that allows remote attackers to crash
>   OpenSMTPD, or leak information and defeat the ASLR protection;
> 
> - a use-after-free vulnerability that allows remote attackers to crash
>   OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;
> 
> -- 
> You received this mail because you are subscribed to misc@...nsmtpd.org
> To unsubscribe, send a mail to: misc+unsubscribe@...nsmtpd.org
> 

-- 
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ