1200780 – postfix: postlog NULL pointer dereference crash when invoked with incorrect arguments

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1200780 - postfix: postlog NULL pointer dereference crash when invoked with incorrect arguments

Summary: postfix: postlog NULL pointer dereference crash when invoked with incorrect a...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	postfix
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Jaroslav Škarvada
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-11 11:35 UTC by Christoffer Strömblad
Modified:	2017-09-06 07:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-06 07:36:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
upstream patch (555 bytes, patch) 2016-09-12 16:18 UTC, Ondřej Lysoněk	no flags	Details \| Diff
View All

Description Christoffer Strömblad 2015-03-11 11:35:41 UTC

Description of problem:
When issuing the command postlog with invalid parameters the program will crash. According to this (http://permalink.gmane.org/gmane.mail.postfix.devel/2942) discussion the problem seem to have been addressed, but unsure.

Due to the potential exploitability and severe consequences a bug was determined to be the best option to highlight the potential problem.

Version-Release number of selected component (if applicable):
postfix-2.6.6-6.el6_5.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. Issue command 'postlog --help' (or any other invalid parameter for that matter)
2. That's it.

Actual results:
Segmentation fault.

Expected results:
A command usage help text according to the code.

Additional info:

Comment 1 Tomas Hoger 2015-03-11 12:59:06 UTC

(In reply to Christoffer Strömblad from comment #0)
> Due to the potential exploitability and severe consequences a bug was
> determined to be the best option to highlight the potential problem.

Considering that this is simple NULL pointer dereference in a non-suid/sgid application not meant to be run as daemon, you probably should clarify the exploitability and severe consequences.  Looks like a non-security bug, hence re-assigning where this should have been filed.

Note that two patches were already proposed by upstream developers:

http://thread.gmane.org/gmane.mail.postfix.devel/2942/focus=2943
http://thread.gmane.org/gmane.mail.postfix.devel/2942/focus=2945

Comment 2 Christoffer Strömblad 2015-03-11 13:04:40 UTC

I apologise if this was posted in the wrong category under incorrect assumptions. I'm not in anyway an experienced developer or system-administrator but felt that a segmentation fault in a software that had ownership of root/root might be something to look into with POTENTIAL exploitability and consequences.

If you judge this to be non-security related issue, excellent. I wouldn't know, but felt that the "better safe than sorry" maxim was appropriate.

Comment 6 Ondřej Lysoněk 2016-09-12 16:18:31 UTC

Created attachment 1200243 [details]
upstream patch

Attaching the patch which was used upstream.

Comment 8 Tomáš Hozza 2017-09-06 07:36:17 UTC

Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com

Note You need to log in before you can comment on or make changes to this bug.