-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 2007-06-05
affected version(s): amavis, amavisd, amavisd-new
Vulnerability: file utility integer underflow / possible DoS
Priority: urgent
Solution: update to file 4.21 or newer / edit 'magic' file
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026
Author: Mark Martinec <[EMAIL PROTECTED]>
Rainer Link <[EMAIL PROTECTED]>
Advisory ID: ASA-2007-3
Contact: [EMAIL PROTECTED]
WWW: http://www.amavis.org/security/
- -----------------------------------------------------------------------------
0. Preface
As amavisd-new (http://www.ijs.si/software/amavisd/) is currently
the only maintained AMaViS branch, most of the following refers
to amavisd-new.
1. Problem description
Colin Percival, a FreeBSD Security Officer, discovered that the fix
for a CVE-2007-1536 security issue in the file(1) utility version 4.20
introduced a new integer overflow, leading to a buffer overflow, possibly
leading to the execution of arbitrary code with the rights of a user
running file(1). This new flaw has been assigned code CVE-2007-2799.
Amavisd-new and its predecessors (except amavis-ng) use the file(1)
utility to determine the type of files extracted from email messages.
The file(1) utility vulnerability can be leveraged by an attacker
to execute code under the privileges of a user running amavis.
2. Impact
Potentially execute arbitrary code under privileges of a user running
a content filter (such as amavisd-new) which uses version 4.20 of a
file(1) utility. If a content filter is running chrooted, the impact
is limited by the chroot jail environment.
Note that versions 4.19 and earlier are vulnerable to a similar
security problem CVE-2007-1536, ASA-2007-1, and vulnerability of
versions 3.41 and earlier is covered by ASA-2003-1.
3. Solution
Update to a file(1) utility 4.21 or newer, the latest version
can be found at ftp://ftp.astron.com/pub/file/
or update your system using an up to date package or port.
If decoding of mail contents by amavisd-new is not required (e.g.
if antivirus checkers can reliably do their own mail decoding and
no banning rules are in use, or if only spam checking is desired),
decoding and content recognition by file(1) utility can be turned
off since version 2.5.1 of amavisd-new by the following setting
in amavisd.conf: $bypass_decode_parts = 1;
4. Additional information
An unrelated CVE-2007-2026 DoS vulnerability of a file(1) utility
linked with a POSIX regex(3) library on Linux systems (but not *BSD
systems) is still unresolved in file-4.21, because the offending
two lines in a file 'magic' were not removed by mistake, even though
their correct replacements were added.
The following two lines from a 'magic' file that comes with file(1)
version 4.21 need to be manually removed:
100 regex/c =^\\s*call\\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text
5. References
http://security.freebsd.org/advisories/FreeBSD-SA-07:04.file.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026
http://mx.gw.com/pipermail/file/2007/000173.html
http://mx.gw.com/pipermail/file/2007/000172.html
http://www.ijs.si/software/amavisd/#sec
http://www.amavis.org/security/
http://www.amavis.org/security/asa-2007-1.txt
http://www.amavis.org/security/asa-2003-1.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.14 (GNU/Linux)
iD8DBQFGZbHzmxoFTBO0QHkRAo/YAJ9fZQENfbOaXC4BYVmR/2YX8CZbnwCgtYBY
3lcfgOKvnaRb7dUiilimLjE=
=c1pg
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
