Bug 469415 - Security bug in tmail and dmail
Security bug in tmail and dmail
Product: Fedora EPEL
Classification: Fedora
Component: uw-imap (Show other bugs)
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
Depends On:
Blocks: CVE-2008-5005
  Show dependency treegraph
Reported: 2008-10-31 14:30 EDT by Pawel Salek
Modified: 2008-11-03 08:55 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-31 15:02:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pawel Salek 2008-10-31 14:30:34 EDT
Description of problem:
Copied from a post to imap-uw@u.washington.edu:

There is a security bug in versions of the programs tmail and dmail distributed with the IMAP Toolkit versions 2007c or earlier (all versions prior to 2008-10-29). This includes the version distributed with Alpine 2.00. A fixed version of the programs is included in the IMAP Toolkit version 2007d.[cut]

If you are using tmail or dmail you should replace them with the fixed versions immediately. The bug is exploitable by local users with shell access and may be remotely exploitable on some systems. A default sendmail installation with tmail as a delivery agent is not remotely exploitable because of length limits imposed by sendmail.[cut]

Comment 1 Rex Dieter 2008-10-31 14:35:51 EDT
Pkgs built, update pending.
Comment 2 Rex Dieter 2008-10-31 15:02:40 EDT
updates push underway, expect to see uw-imap-2007d-1.el5 landing soon in an epel repo near you.
Comment 3 Tomas Hoger 2008-11-03 06:08:25 EST
Rex, Pawel, do you have any further details about these issues?  Upstream announcement is fairly vague.  Additionally, description suggests that tmail issue can be used by local shell users to get root, but can not be exploited remotely over MTA.  On the first read, it sounds like this would expect tmail to be setuid root, which does not seem to be the case with Fedora packages by default, but seems to be suggested as required in some setups.

Sorry, I'm not very familiar with uw-imap, so suggestions are welcome.
Comment 4 Pawel Salek 2008-11-03 07:16:31 EST
It's a classical stack overflow that can be triggered by passing
+VERYLONGSTRING as the argument to [dt]mail. The program attempts to copy the
string to a temporary buffer without checking its length. This is only root
exploit if the program is suid root. It is a remote exploit if the smtp
delivery program passes the argument to tmail longer than 1024 characters (eg
via $u variable in 
define(`LOCAL_MAILER_ARGS', `tmail $u')dnl
Comment 5 Tomas Hoger 2008-11-03 08:55:03 EST
Pawel, thanks for the hint.  It seem to be consistent with what I managed to find out so far.  Further comments will be added to bug #469667, that will be used to track the issue across all affected products.

Note You need to log in before you can comment on or make changes to this bug.