Bug 618132 (CVE-2008-7258)

Summary: CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines with leading dot
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: manuel.wolfshant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-20 09:28:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 582236    
Bug Blocks:    

Description Jan Lieskovsky 2010-07-26 08:39:12 UTC 
Brendan Boerner reported:
  [1] https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424

a deficiency in the way ssmtp removed trailing '\n' sequence
by processing lines beginning with a leading dot. A local user,
could send a specially-crafted e-mail message via ssmtp send-only
sendmail emulator, leading to ssmtp executable denial of service (exit with:
ssmtp: standardise() -- Buffer overflow). Different vulnerability
than CVE-2008-3962.

References:
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=582236
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3962
  [4] http://patch-tracker.debian.org/package/ssmtp/2.62-3
  [5] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041012.html
  [6] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041009.html
  [7] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041119.html

Debian Linux distribution patch:
  [8] http://patch-tracker.debian.org/patch/series/view/ssmtp/2.62-3/345780-standardise-bufsize
Comment 1 Jan Lieskovsky 2010-07-26 08:48:06 UTC 
This issue has been addressed in the following versions of ssmtp:
  [1] ssmtp-2.61-14.el5 for Fedora EPEL 5
  [2] ssmtp-2.61-14.el4 for Fedora EPEL 4
  [3] ssmtp-2.61-14.fc13 for Fedora 13
  [4] ssmtp-2.61-14.fc12 for Fedora 12
  [5] ssmtp-2.61-14.fc11 for Fedora 11
Comment 2 manuel wolfshant 2010-07-26 09:07:31 UTC 
Thank you, Jan.

However according to https://bugzilla.redhat.com/show_bug.cgi?id=617491 , the bug was not properly fixed . Although I am quite puzzled, as I have applied the debian patch, http://cvs.fedoraproject.org/viewvc/rpms/ssmtp/devel/ssmtp-standardise.patch?revision=1.1&view=markup
Note that I have never been able to reproduce the bug.
Comment 3 Jan Lieskovsky 2010-08-03 13:55:53 UTC 
The CVE identifier of CVE-2008-7258 has been assigned to this.
Comment 4 manuel wolfshant 2010-08-03 14:09:30 UTC 
ssmtp-2.61-15 has been pushed to all repos ( -testing for now) and it should solve the problem