Brendan Boerner reported: [1] https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424 a deficiency in the way ssmtp removed trailing '\n' sequence by processing lines beginning with a leading dot. A local user, could send a specially-crafted e-mail message via ssmtp send-only sendmail emulator, leading to ssmtp executable denial of service (exit with: ssmtp: standardise() -- Buffer overflow). Different vulnerability than CVE-2008-3962. References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=582236 [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3962 [4] http://patch-tracker.debian.org/package/ssmtp/2.62-3 [5] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041012.html [6] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041009.html [7] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041119.html Debian Linux distribution patch: [8] http://patch-tracker.debian.org/patch/series/view/ssmtp/2.62-3/345780-standardise-bufsize
This issue has been addressed in the following versions of ssmtp: [1] ssmtp-2.61-14.el5 for Fedora EPEL 5 [2] ssmtp-2.61-14.el4 for Fedora EPEL 4 [3] ssmtp-2.61-14.fc13 for Fedora 13 [4] ssmtp-2.61-14.fc12 for Fedora 12 [5] ssmtp-2.61-14.fc11 for Fedora 11
Thank you, Jan. However according to https://bugzilla.redhat.com/show_bug.cgi?id=617491 , the bug was not properly fixed . Although I am quite puzzled, as I have applied the debian patch, http://cvs.fedoraproject.org/viewvc/rpms/ssmtp/devel/ssmtp-standardise.patch?revision=1.1&view=markup Note that I have never been able to reproduce the bug.
The CVE identifier of CVE-2008-7258 has been assigned to this.
ssmtp-2.61-15 has been pushed to all repos ( -testing for now) and it should solve the problem