Bug 461882 - (CVE-2008-3962) CVE-2008-3962 ssmtp: unitialized memory disclosure
CVE-2008-3962 ssmtp: unitialized memory disclosure
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On:
  Show dependency treegraph
Reported: 2008-09-11 03:08 EDT by Tomas Hoger
Modified: 2010-03-29 04:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-29 04:30:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-09-11 03:08:16 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3962 to the following vulnerability:

The from_format function in ssmtp.c in ssmtp 2.62, in certain
configurations, uses uninitialized memory for the From: field of an
e-mail message, which might allow remote attackers to obtain sensitive
information (memory contents) in opportunistic circumstances by
reading a message.

Comment 1 manuel wolfshant 2008-09-11 05:10:45 EDT
Fedora includes the older version (2.61) which according to the link that you have posted (http://www.openwall.com/lists/oss-security/2008/09/09/5) is not affected.
Please reopen the bug if it really affects Fedora users.
Comment 2 Tomas Hoger 2008-09-11 05:36:11 EDT
I originally intended to make this an FYI-kind of bug to make you aware of the issue to keep in mind in case you decide to upgrade to 2.62.  I planned to close it myself, but after checking the code, Fedora version seemed vulnerable to me.

I've double checked with Gentoo developers and got confirmation that 2.61 is affected as well, they only had a patch for it in their ssmtp packages in 2.61, and accidentally dropped it during the rebase to 2.62.  Follow-up clarification mail was sent by Robert (thanks!):

Comment 3 manuel wolfshant 2008-09-11 05:44:29 EDT
All right, thanks a lot for the heads-up. I am looking into it right now.
Comment 4 manuel wolfshant 2008-09-11 12:38:41 EDT
I have just build ssmtp-2.61-11.6.fc10 in koji. If in a couple of days I receive no complaints, I'll push the same changes to F9/F8 and EPEL.
I am leaving the bug open till then.
Comment 5 Tomas Hoger 2008-09-11 13:07:53 EDT
Sounds good given the low impact of the issue.  Thank you!
Comment 6 Fedora Update System 2008-09-12 16:10:35 EDT
ssmtp-2.61-11.6.fc8.1 has been submitted as an update for Fedora 8.
Comment 7 manuel wolfshant 2008-09-12 17:11:45 EDT
The same package was built in plague for EL-4 and EL-5 and pushed to testing.
Bodhi does not allow me to add an update for F9. I'll retry tomorrow.
Comment 8 Fedora Update System 2008-09-12 17:15:54 EDT
ssmtp-2.61-11.6.fc9.1 has been submitted as an update for Fedora 9.
Comment 9 manuel wolfshant 2008-09-12 21:58:34 EDT
The Fedora packages have been pushed in their corresponding directories, the EPEL packages are submitted to be included in the /testing repos (I think that since  the security issue is rated "low impact", pushing directly to stable is not needed).

Please reopen the bug if the problem still persists.
Comment 10 Fedora Update System 2008-09-14 02:48:15 EDT
ssmtp-2.61-11.6.fc8.1 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-09-14 02:49:42 EDT
ssmtp-2.61-11.6.fc9.1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.