Arch Linux Security Advisory ASA-201510-5 ========================================= Severity: Critical Date : 2015-10-08 CVE-ID : CVE-2015-7687 Package : opensmtpd Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package opensmtpd before version 5.7.3p1-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, denial of service and information disclosure. Resolution ========== Upgrade to 5.7.3p1-1. # pacman -Syu "opensmtpd>=5.7.3p1-1" The problems have been fixed upstream in version 5.7.3p1. Workaround ========== None. Description =========== - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory - multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd) - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition - an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda - fix remote buffer overflow in unprivileged pony process - reworked offline enqueue to better protect against hardlink attacks Impact ====== A remote attacker is able to execute arbitrary code, crash the process to perform a denial of service attack, read arbitrary memory to disclose information and defeat ASLR or have other unspecified impact via various vectors. References ========== https://access.redhat.com/security/cve/CVE-2015-7687 https://www.opensmtpd.org/announces/release-5.7.2.txt https://www.opensmtpd.org/announces/release-5.7.3.txt http://seclists.org/oss-sec/2015/q4/17 https://bugs.archlinux.org/task/46605