On Sun, Oct 14, 2001 at 07:12:38PM +0000, Andre Luis Lopes wrote: > Package: maildrop > Version: 0.75-2.1; reported 2001-10-14 > Severity: critical > Tags: potato > > I was trying to set up a Debian GNU/Linux 2.2r3 "Potato" box (not this > one from which I'm sending this bug report) with Postfix + Amavis + > McAfee virus scanner. > When reading Amavis documentation about reformime, which is part of > maildrop package, I think I found a serious problem which > maildrop-0.75-2.1 Debian package from potato is still vulnerable. > However, this same file provided a patch to be applied against a > reformime version older than 1.0, which is the Debian package case. > Bellow is the file in question (README.reformime from Amavis) with the > vulnerability explanation and the appropriated patch. Hope it helps. > > ============================================================================== > > AMaViS & reformime > ****************** > > IMPORTANT SECURITY WARNING: > > reformime 1.0 contains a severe bug. It tries do avoid > clobbering of existing files (i.e. if a mail contains > two attachments with the same file name!) Due to a bug > it ends in an endless loop! This could be used for a > denial-of-service-attack against AMaViS.
It appears that the version 0.75 doesn't have the sanity check at all. This looks like a serious bug, it can overwrite and lose data that way... It also makes one chunk not apply, which is normal. What should be done? (Please CC: posts to debian-security to me, I'm not on the list) [the rest of the original post follows] > For details see the AMaViS Security Announcement 2000-02 > http://amavis.org/asa-2000-2.txt and read README.metamail, > which explains why metamail or reformime is used. > > Please apply the patch below if you are using reformime 1.0 > (we recommand to use the latest release which is included in > the package maildrop, see http://www.flounder.net/~mrsam/maildrop) > > > Index: reformime.c > =================================================================== > RCS file: /cvsroot/courier/libs/rfc2045/reformime.c,v > retrieving revision 1.25 > diff -U3 -r1.25 reformime.c > --- reformime.c 2000/07/05 16:42:06 1.25 > +++ reformime.c 2000/07/26 00:07:14 > @@ -36,7 +36,7 @@ > #endif > > > -static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar >Exp $"; > +static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar >Exp $"; > > void rfc2045_error(const char *errmsg) > { > @@ -317,7 +317,8 @@ > } > } > > -static char *get_suitable_filename(struct rfc2045 *r, const char *pfix) > +static char *get_suitable_filename(struct rfc2045 *r, const char *pfix, > + int ignore_filename) > { > const char *disposition_s; > const char *disposition_name_s; > @@ -336,7 +337,24 @@ > if (!disposition_filename_s || !*disposition_filename_s) > disposition_filename_s=content_name_s; > > - if (!disposition_filename_s || !*disposition_filename_s) > + if (ignore_filename) > + { > + char numbuf[NUMBUFSIZE]; > + static size_t counter=0; > + const char *p=str_size_t(++counter, numbuf); > + > + dyn_disp_name=malloc(strlen(disposition_filename_s) > + + strlen(p)+2); > + if (!dyn_disp_name) > + { > + perror("malloc"); > + exit(1); > + } > + disposition_filename_s=strcat(strcat(strcpy( > + dyn_disp_name, p), "-"), > + disposition_filename_s); > + } > + else if (!disposition_filename_s || !*disposition_filename_s) > { > dyn_disp_name=tempname("."); > disposition_filename_s=dyn_disp_name+2; /* Skip over ./ */ > @@ -421,12 +439,13 @@ > { > char *f; > FILE *fp; > +int ignore=0; > > for (;;) > { > int fd; > > - f=get_suitable_filename(p, filename); > + f=get_suitable_filename(p, filename, ignore); > if (!f) return; > > fd=open(f, O_WRONLY|O_CREAT|O_EXCL, 0666); > @@ -436,6 +455,7 @@ > { > printf("%s exists.\n", f); > free(f); > + ignore=1; > continue; > } > > @@ -465,7 +485,7 @@ > const char *filename, > int argc, char **argv) > { > -char *f=get_suitable_filename(p, "FILENAME="); > +char *f=get_suitable_filename(p, "FILENAME=", 0); > int pipefd[2]; > pid_t pid, p2; > FILE *fp; > > ============================================================================== > > > -- System Information > Debian Release: testing/unstable > Architecture: i386 > Kernel: Linux foobar 2.4.9 #1 SMP Dom Set 9 14:19:19 BRT 2001 i586 > Locale: LANG=pt_BR, LC_CTYPE=pt_BR > -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
