Hi, I'm uploading a 0-day NMU to fix this bug. debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/ssmtp-2.62-1_2.62-1.1.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ssmtp-2.62/debian/patches/series ssmtp-2.62/debian/patches/series
--- ssmtp-2.62/debian/patches/series
+++ ssmtp-2.62/debian/patches/series
@@ -1 +1,2 @@
+02-CVE-2008-3962
01-374327-use-gnutls.patch
diff -u ssmtp-2.62/debian/changelog ssmtp-2.62/debian/changelog
--- ssmtp-2.62/debian/changelog
+++ ssmtp-2.62/debian/changelog
@@ -1,3 +1,11 @@
+ssmtp (2.62-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix possible information disclosure in corner cases (no gecos)
+ by adding a missing else branch (02-CVE-2008-3962; Closes: #498366).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 02 Oct 2008 14:15:57 +0200
+
ssmtp (2.62-1) unstable; urgency=low
* New upstream version
only in patch2:
unchanged:
--- ssmtp-2.62.orig/debian/patches/02-CVE-2008-3962
+++ ssmtp-2.62/debian/patches/02-CVE-2008-3962
@@ -0,0 +1,16 @@
+Index: ssmtp-2.62/ssmtp.c
+===================================================================
+--- ssmtp-2.62.orig/ssmtp.c 2008-10-02 14:15:39.000000000 +0200
++++ ssmtp-2.62/ssmtp.c 2008-10-02 14:15:41.000000000 +0200
+@@ -485,6 +485,11 @@
+ die("from_format() -- snprintf() failed");
+ }
+ }
++ else {
++ if(snprintf(buf, BUF_SZ, "%s", str) == -1) {
++ die("from_format() -- snprintf() failed");
++ }
++ }
+ }
+
+ #if 0
pgpePcGAQyxMp.pgp
Description: PGP signature
