Bug 1268793 - (CVE-2015-7687) CVE-2015-7687 OpenSMTPD: multiple vulnerabilities fixed in 5.7.2
CVE-2015-7687 OpenSMTPD: multiple vulnerabilities fixed in 5.7.2
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20151002,repo...
: Security
Depends On: 1268794 1268795
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-05 05:19 EDT by Martin Prpič
Modified: 2015-11-02 05:26 EST (History)
3 users (show)

See Also:
Fixed In Version: OpenSMTPD 5.7.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-26 15:11:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-10-05 05:19:11 EDT
Several vulnerabilities have been fixed in OpenSMTPD 5.7.2:

- an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory;

- multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD;

- a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;

- a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files;

- a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd);

- a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition;

- an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection;

- a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;

Further details can be found in Qualys' audit report:

http://seclists.org/oss-sec/2015/q4/17

MITRE has assigned one CVE for the use-after-free vulnerability; additional CVEs may be assigned:

http://seclists.org/oss-sec/2015/q4/23

External References:

https://www.opensmtpd.org/announces/release-5.7.2.txt
http://seclists.org/oss-sec/2015/q4/17
Comment 1 Martin Prpič 2015-10-05 05:19:43 EDT
Created opensmtpd tracking bugs for this issue:

Affects: fedora-all [bug 1268794]
Affects: epel-all [bug 1268795]
Comment 2 Denis Fateyev 2015-10-05 07:38:19 EDT
This update is already in testing. Just edited the descriptions on Bodhi to be more specific on vulnerabilities fixed, and added bugs above.

Everybody interested is encouraged to test the update and give feedback.
Comment 3 Denis Fateyev 2015-10-26 15:11:21 EDT
Fixed in opensmtpd version 5.7.3 which is on stable.

Note You need to log in before you can comment on or make changes to this bug.