Hi, I'm uploading a 0-day NMU to fix this bug. debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/ssmtp-2.62-1_2.62-1.1.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ssmtp-2.62/debian/patches/series ssmtp-2.62/debian/patches/series --- ssmtp-2.62/debian/patches/series +++ ssmtp-2.62/debian/patches/series @@ -1 +1,2 @@ +02-CVE-2008-3962 01-374327-use-gnutls.patch diff -u ssmtp-2.62/debian/changelog ssmtp-2.62/debian/changelog --- ssmtp-2.62/debian/changelog +++ ssmtp-2.62/debian/changelog @@ -1,3 +1,11 @@ +ssmtp (2.62-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix possible information disclosure in corner cases (no gecos) + by adding a missing else branch (02-CVE-2008-3962; Closes: #498366). + + -- Nico Golde <[EMAIL PROTECTED]> Thu, 02 Oct 2008 14:15:57 +0200 + ssmtp (2.62-1) unstable; urgency=low * New upstream version only in patch2: unchanged: --- ssmtp-2.62.orig/debian/patches/02-CVE-2008-3962 +++ ssmtp-2.62/debian/patches/02-CVE-2008-3962 @@ -0,0 +1,16 @@ +Index: ssmtp-2.62/ssmtp.c +=================================================================== +--- ssmtp-2.62.orig/ssmtp.c 2008-10-02 14:15:39.000000000 +0200 ++++ ssmtp-2.62/ssmtp.c 2008-10-02 14:15:41.000000000 +0200 +@@ -485,6 +485,11 @@ + die("from_format() -- snprintf() failed"); + } + } ++ else { ++ if(snprintf(buf, BUF_SZ, "%s", str) == -1) { ++ die("from_format() -- snprintf() failed"); ++ } ++ } + } + + #if 0
pgpePcGAQyxMp.pgp
Description: PGP signature