Bug 461882 (CVE-2008-3962)

Summary: CVE-2008-3962 ssmtp: unitialized memory disclosure
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, manuel.wolfshant
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 08:30:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-09-11 07:08:16 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3962 to the following vulnerability:

The from_format function in ssmtp.c in ssmtp 2.62, in certain
configurations, uses uninitialized memory for the From: field of an
e-mail message, which might allow remote attackers to obtain sensitive
information (memory contents) in opportunistic circumstances by
reading a message.

References:
https://bugs.gentoo.org/234391
http://www.openwall.com/lists/oss-security/2008/09/09/5
Comment 1 manuel wolfshant 2008-09-11 09:10:45 UTC 
Fedora includes the older version (2.61) which according to the link that you have posted (http://www.openwall.com/lists/oss-security/2008/09/09/5) is not affected.
Please reopen the bug if it really affects Fedora users.
Comment 2 Tomas Hoger 2008-09-11 09:36:11 UTC 
I originally intended to make this an FYI-kind of bug to make you aware of the issue to keep in mind in case you decide to upgrade to 2.62.  I planned to close it myself, but after checking the code, Fedora version seemed vulnerable to me.

I've double checked with Gentoo developers and got confirmation that 2.61 is affected as well, they only had a patch for it in their ssmtp packages in 2.61, and accidentally dropped it during the rebase to 2.62.  Follow-up clarification mail was sent by Robert (thanks!):

  http://www.openwall.com/lists/oss-security/2008/09/11/2
Comment 3 manuel wolfshant 2008-09-11 09:44:29 UTC 
All right, thanks a lot for the heads-up. I am looking into it right now.
Comment 4 manuel wolfshant 2008-09-11 16:38:41 UTC 
I have just build ssmtp-2.61-11.6.fc10 in koji. If in a couple of days I receive no complaints, I'll push the same changes to F9/F8 and EPEL.
I am leaving the bug open till then.
Comment 5 Tomas Hoger 2008-09-11 17:07:53 UTC 
Sounds good given the low impact of the issue.  Thank you!
Comment 6 Fedora Update System 2008-09-12 20:10:35 UTC 
ssmtp-2.61-11.6.fc8.1 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ssmtp-2.61-11.6.fc8.1
Comment 7 manuel wolfshant 2008-09-12 21:11:45 UTC 
The same package was built in plague for EL-4 and EL-5 and pushed to testing.
Bodhi does not allow me to add an update for F9. I'll retry tomorrow.
Comment 8 Fedora Update System 2008-09-12 21:15:54 UTC 
ssmtp-2.61-11.6.fc9.1 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ssmtp-2.61-11.6.fc9.1
Comment 9 manuel wolfshant 2008-09-13 01:58:34 UTC 
The Fedora packages have been pushed in their corresponding directories, the EPEL packages are submitted to be included in the /testing repos (I think that since  the security issue is rated "low impact", pushing directly to stable is not needed).

Please reopen the bug if the problem still persists.
Comment 10 Fedora Update System 2008-09-14 06:48:15 UTC 
ssmtp-2.61-11.6.fc8.1 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-09-14 06:49:42 UTC 
ssmtp-2.61-11.6.fc9.1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.