Hide Forgot
Description of problem: When issuing the command postlog with invalid parameters the program will crash. According to this (http://permalink.gmane.org/gmane.mail.postfix.devel/2942) discussion the problem seem to have been addressed, but unsure. Due to the potential exploitability and severe consequences a bug was determined to be the best option to highlight the potential problem. Version-Release number of selected component (if applicable): postfix-2.6.6-6.el6_5.x86_64 How reproducible: Every time. Steps to Reproduce: 1. Issue command 'postlog --help' (or any other invalid parameter for that matter) 2. That's it. Actual results: Segmentation fault. Expected results: A command usage help text according to the code. Additional info:
(In reply to Christoffer Strömblad from comment #0) > Due to the potential exploitability and severe consequences a bug was > determined to be the best option to highlight the potential problem. Considering that this is simple NULL pointer dereference in a non-suid/sgid application not meant to be run as daemon, you probably should clarify the exploitability and severe consequences. Looks like a non-security bug, hence re-assigning where this should have been filed. Note that two patches were already proposed by upstream developers: http://thread.gmane.org/gmane.mail.postfix.devel/2942/focus=2943 http://thread.gmane.org/gmane.mail.postfix.devel/2942/focus=2945
I apologise if this was posted in the wrong category under incorrect assumptions. I'm not in anyway an experienced developer or system-administrator but felt that a segmentation fault in a software that had ownership of root/root might be something to look into with POTENTIAL exploitability and consequences. If you judge this to be non-security related issue, excellent. I wouldn't know, but felt that the "better safe than sorry" maxim was appropriate.
Created attachment 1200243 [details] upstream patch Attaching the patch which was used upstream.
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com