Bug 618132 - (CVE-2008-7258) CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines with leading dot
CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines wit...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20081012,reported=2...
: Security
Depends On: 582236
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-26 04:39 EDT by Jan Lieskovsky
Modified: 2015-07-31 08:09 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-20 05:28:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-07-26 04:39:12 EDT
Brendan Boerner reported:
  [1] https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424

a deficiency in the way ssmtp removed trailing '\n' sequence
by processing lines beginning with a leading dot. A local user,
could send a specially-crafted e-mail message via ssmtp send-only
sendmail emulator, leading to ssmtp executable denial of service (exit with:
ssmtp: standardise() -- Buffer overflow). Different vulnerability
than CVE-2008-3962.

References:
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=582236
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3962
  [4] http://patch-tracker.debian.org/package/ssmtp/2.62-3
  [5] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041012.html
  [6] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041009.html
  [7] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041119.html

Debian Linux distribution patch:
  [8] http://patch-tracker.debian.org/patch/series/view/ssmtp/2.62-3/345780-standardise-bufsize
Comment 1 Jan Lieskovsky 2010-07-26 04:48:06 EDT
This issue has been addressed in the following versions of ssmtp:
  [1] ssmtp-2.61-14.el5 for Fedora EPEL 5
  [2] ssmtp-2.61-14.el4 for Fedora EPEL 4
  [3] ssmtp-2.61-14.fc13 for Fedora 13
  [4] ssmtp-2.61-14.fc12 for Fedora 12
  [5] ssmtp-2.61-14.fc11 for Fedora 11
Comment 2 manuel wolfshant 2010-07-26 05:07:31 EDT
Thank you, Jan.

However according to https://bugzilla.redhat.com/show_bug.cgi?id=617491 , the bug was not properly fixed . Although I am quite puzzled, as I have applied the debian patch, http://cvs.fedoraproject.org/viewvc/rpms/ssmtp/devel/ssmtp-standardise.patch?revision=1.1&view=markup
Note that I have never been able to reproduce the bug.
Comment 3 Jan Lieskovsky 2010-08-03 09:55:53 EDT
The CVE identifier of CVE-2008-7258 has been assigned to this.
Comment 4 manuel wolfshant 2010-08-03 10:09:30 EDT
ssmtp-2.61-15 has been pushed to all repos ( -testing for now) and it should solve the problem

Note You need to log in before you can comment on or make changes to this bug.