[Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately]
From: Lars Wirzenius <liw@xxxxxx>
Date: Wed, 13 Dec 2006 19:25:41 +0200
Cc: fedora-security-list@xxxxxxxxxx

Fedora Extras seems to include my Enemies of Carlotta mailing list
manager. I've just made a new release to fix a security problem, so I'd
like to suggest that you update the package. Please see attached message
and
http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00336.html

Thanks, and sorry for the mess I created.

-- 
If possible, use code, not comments.

--- Begin Message ---

Subject: EoC 1.2.4 -- security problem fixed, please upgrade immediately
From: Lars Wirzenius <liw@xxxxxxxxxx>
Date: Wed, 13 Dec 2006 15:48:36 +0200
Delivered-to: liw-iki-liw@xxxxxxxxx
Delivered-to: liw-iki-eoc@xxxxxxxxx

My face is covered in egg.

Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3
and the 1.2.3 versions. The problem is that EoC did not quote shell
arguments properly. I have fixed the problem in 1.2.4, which contains no
other changes relative to 1.2.3. This problem has the code
CVE-2006-5875.

You can find the 1.2.4 version from the EoC website:
http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's
unstable.

Debian's stable contains 1.0.3, and I have prepared a patch for that. It
is actually essentially the same patch as was used to create 1.2.4. The
Debian security team has uploaded a fixed version of the 1.0.3 package
to security.debian.org. I've attached it to this message in case anyone
not running Debian wants to stay with 1.0.3, but I won't be releasing a
1.0.4 unless someone really needs it (if you do, please tell me
immediately).

For risk assessment: I was unable to come up with an exploit. Doing so
would require getting a certain kind of construct through the SMTP level
to EoC, and I wasn't able to make that happen, but I would not rely on
it being impossible. Therefore, please upgrade immediately.

I apologize for this problem. It was amateurish to let the problematic
code into a released version of the program, I knew better than do that.

diff -u enemies-of-carlotta-1.0.3/debian/changelog enemies-of-carlotta-1.0.3/debian/changelog
--- enemies-of-carlotta-1.0.3/debian/changelog
+++ enemies-of-carlotta-1.0.3/debian/changelog
@@ -1,3 +1,13 @@
+enemies-of-carlotta (1.0.3-2) stable-security; urgency=high
+
+  * Security fix for CVE-2006-5875. There is no bug report for this, the
+    problem was reported privately to me by Antti-Juhani Kaijanaho.
+  * EoC did not correctly deal with SMTP level e-mail addresses that contain
+    shell meta characters. This has been fixed by running /usr/sbin/sendmail
+    via fork and exec, instead of os.popen.
+
+ -- Lars Wirzenius <liw@xxxxxx>  Fri,  8 Dec 2006 19:49:07 +0200
+
 enemies-of-carlotta (1.0.3-1) unstable; urgency=low
 
   * New upstream release:
only in patch2:
unchanged:
--- enemies-of-carlotta-1.0.3.orig/eoc.py
+++ enemies-of-carlotta-1.0.3/eoc.py
@@ -119,6 +119,33 @@
     return string.join(map(lambda c: "%02x" % ord(c), hash), "")
 
 
+def forkexec(argv, text):
+    """Run a command (given as argv array) and write text to its stdin"""
+    (r, w) = os.pipe()
+    pid = os.fork()
+    if pid == -1:
+        raise Exception("fork failed")
+    elif pid == 0:
+        os.dup2(r, 0)
+        os.close(r)
+        os.close(w)
+        fd = os.open("/dev/null", os.O_RDWR)
+        os.dup2(fd, 1)
+        os.dup2(fd, 2)
+        os.execvp(argv[0], argv)
+        sys.exit(1)
+    else:
+        os.close(r)
+        os.write(w, text)
+        os.close(w)
+        (pid2, exit) = os.waitpid(pid, 0)
+        if pid != pid2:
+            raise Exception("os.waitpid for %d returned for %d" % (pid, pid2))
+        if exit != 0:
+            raise Exception("subprocess failed, exit=0x%x" % exit)
+        return exit
+
+
 environ = None
 
 def set_environ(new_environ):
@@ -379,12 +406,8 @@
 		smtp.sendmail(envelope_sender, recipients, text)
 		smtp.quit()
 	    else:
-		recipients = string.join(recipients, " ")
-		f = os.popen("%s -oi -f '%s' %s" % 
-				(self.mlm.sendmail, envelope_sender, recipients), 
-			     "w")
-		f.write(text)
-		f.close()
+		forkexec([self.mlm.sendmail, "-oi", "-f", envelope_sender] +
+		          recipients, text)
 	else:
 	    debug("send_mail: no recipients, not sending")

--- End Message ---

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

Follow-Ups:
- Re: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately]
  - From: Paul Howarth

Prev by Date: [Bug 210825] RSA signature forgery issues in BouncyCastle < 1.34
Next by Date: Re: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately]
Previous by thread: [Bug 219095] New: CVE-2006-6406: clamav <= 0.88.6 virus detection bypass
Next by thread: Re: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately]
Index(es):
- Date
- Thread

[Home] [Fedora Legacy List] [Fedora Maintainers] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Fedora SELinux] [Big List of Linux Books] [Yosemite News] [Yosemite Photos] [KDE Users] [Coolkey] [Fedora Tools]