Bug 461882 (CVE-2008-3962) - CVE-2008-3962 ssmtp: unitialized memory disclosure
Summary: CVE-2008-3962 ssmtp: unitialized memory disclosure
Alias: CVE-2008-3962
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-09-11 07:08 UTC by Tomas Hoger
Modified: 2010-03-29 08:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 08:30:51 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2008-09-11 07:08:16 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3962 to the following vulnerability:

The from_format function in ssmtp.c in ssmtp 2.62, in certain
configurations, uses uninitialized memory for the From: field of an
e-mail message, which might allow remote attackers to obtain sensitive
information (memory contents) in opportunistic circumstances by
reading a message.


Comment 1 manuel wolfshant 2008-09-11 09:10:45 UTC
Fedora includes the older version (2.61) which according to the link that you have posted (http://www.openwall.com/lists/oss-security/2008/09/09/5) is not affected.
Please reopen the bug if it really affects Fedora users.

Comment 2 Tomas Hoger 2008-09-11 09:36:11 UTC
I originally intended to make this an FYI-kind of bug to make you aware of the issue to keep in mind in case you decide to upgrade to 2.62.  I planned to close it myself, but after checking the code, Fedora version seemed vulnerable to me.

I've double checked with Gentoo developers and got confirmation that 2.61 is affected as well, they only had a patch for it in their ssmtp packages in 2.61, and accidentally dropped it during the rebase to 2.62.  Follow-up clarification mail was sent by Robert (thanks!):


Comment 3 manuel wolfshant 2008-09-11 09:44:29 UTC
All right, thanks a lot for the heads-up. I am looking into it right now.

Comment 4 manuel wolfshant 2008-09-11 16:38:41 UTC
I have just build ssmtp-2.61-11.6.fc10 in koji. If in a couple of days I receive no complaints, I'll push the same changes to F9/F8 and EPEL.
I am leaving the bug open till then.

Comment 5 Tomas Hoger 2008-09-11 17:07:53 UTC
Sounds good given the low impact of the issue.  Thank you!

Comment 6 Fedora Update System 2008-09-12 20:10:35 UTC
ssmtp-2.61-11.6.fc8.1 has been submitted as an update for Fedora 8.

Comment 7 manuel wolfshant 2008-09-12 21:11:45 UTC
The same package was built in plague for EL-4 and EL-5 and pushed to testing.
Bodhi does not allow me to add an update for F9. I'll retry tomorrow.

Comment 8 Fedora Update System 2008-09-12 21:15:54 UTC
ssmtp-2.61-11.6.fc9.1 has been submitted as an update for Fedora 9.

Comment 9 manuel wolfshant 2008-09-13 01:58:34 UTC
The Fedora packages have been pushed in their corresponding directories, the EPEL packages are submitted to be included in the /testing repos (I think that since  the security issue is rated "low impact", pushing directly to stable is not needed).

Please reopen the bug if the problem still persists.

Comment 10 Fedora Update System 2008-09-14 06:48:15 UTC
ssmtp-2.61-11.6.fc8.1 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-09-14 06:49:42 UTC
ssmtp-2.61-11.6.fc9.1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.