oss-sec mailing list archives
Re: CVE requests: Critical vulnerabilities in OpenSMTPD
From: Gilles Chehade <gilles () poolp org>
Date: Fri, 2 Oct 2015 16:16:14 +0200
On Fri, Oct 02, 2015 at 03:22:01PM +0200, Jason A. Donenfeld wrote:
Hello,
Hello,
See this excerpt from the release notes below. Quite a few bugs. Looks like at least one of them might invalidate the openbsd.org claim, "Only two remote holes in the default install, in a heck of a long time!".
Not really, no. By default, the MTA operates in local-mode only accepting connections on the loopback interface and through the unix socket. This is also true on OpenSMTPD -portable. Not to mention that remote vulnerabilities only affect a process that is unprivileged and that the local vulnerabilities, as far as I know, don't allow for privileges escalation, only leaking of a hash (yes, it is bad, but you don't suddenly compromise the machine either).
CCing the OpenSMTPD mailing list (low-volume; don't worry Solar!) in case they want to chime in too.
I'll chime in. As we made clear in the commits and release note these issues were found by Qualys Security during an audit, for which they're going to publish a detailed advisory (very good read) with CVE associated to each issue.
---------- Forwarded message ---------- From: Gilles Chehade <gilles () poolp org> Date: Fri, Oct 2, 2015 at 4:01 AM Subject: Announce: OpenSMTPD 5.7.2 released To: misc () opensmtpd org [...snip...] Issues fixed in this release (5.7.2, since 5.7.1): =========================================== - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd); - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection; - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; -- You received this mail because you are subscribed to misc () opensmtpd org To unsubscribe, send a mail to: misc+unsubscribe () opensmtpd org
-- Gilles Chehade https://www.poolp.org @poolpOrg
Current thread:
- CVE requests: Critical vulnerabilities in OpenSMTPD Jason A. Donenfeld (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Arrigo Triulzi (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Jason A. Donenfeld (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Gilles Chehade (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Jason A. Donenfeld (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Gilles Chehade (Oct 02)
- Re: CVE requests: Critical vulnerabilities in OpenSMTPD Arrigo Triulzi (Oct 02)