Red Hat Bugzilla – Bug 461882
CVE-2008-3962 ssmtp: unitialized memory disclosure
Last modified: 2010-03-29 04:30:51 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3962 to the following vulnerability:
The from_format function in ssmtp.c in ssmtp 2.62, in certain
configurations, uses uninitialized memory for the From: field of an
e-mail message, which might allow remote attackers to obtain sensitive
information (memory contents) in opportunistic circumstances by
reading a message.
Fedora includes the older version (2.61) which according to the link that you have posted (http://www.openwall.com/lists/oss-security/2008/09/09/5) is not affected.
Please reopen the bug if it really affects Fedora users.
I originally intended to make this an FYI-kind of bug to make you aware of the issue to keep in mind in case you decide to upgrade to 2.62. I planned to close it myself, but after checking the code, Fedora version seemed vulnerable to me.
I've double checked with Gentoo developers and got confirmation that 2.61 is affected as well, they only had a patch for it in their ssmtp packages in 2.61, and accidentally dropped it during the rebase to 2.62. Follow-up clarification mail was sent by Robert (thanks!):
All right, thanks a lot for the heads-up. I am looking into it right now.
I have just build ssmtp-2.61-11.6.fc10 in koji. If in a couple of days I receive no complaints, I'll push the same changes to F9/F8 and EPEL.
I am leaving the bug open till then.
Sounds good given the low impact of the issue. Thank you!
ssmtp-2.61-11.6.fc8.1 has been submitted as an update for Fedora 8.
The same package was built in plague for EL-4 and EL-5 and pushed to testing.
Bodhi does not allow me to add an update for F9. I'll retry tomorrow.
ssmtp-2.61-11.6.fc9.1 has been submitted as an update for Fedora 9.
The Fedora packages have been pushed in their corresponding directories, the EPEL packages are submitted to be included in the /testing repos (I think that since the security issue is rated "low impact", pushing directly to stable is not needed).
Please reopen the bug if the problem still persists.
ssmtp-2.61-11.6.fc8.1 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ssmtp-2.61-11.6.fc9.1 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.