[arch-security] [ASA-201510-5] opensmtpd: multiple issues
Levente Polyak
anthraxx at archlinux.org
Thu Oct 8 19:19:29 UTC 2015
Arch Linux Security Advisory ASA-201510-5
=========================================
Severity: Critical
Date : 2015-10-08
CVE-ID : CVE-2015-7687
Package : opensmtpd
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package opensmtpd before version 5.7.3p1-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution, denial of
service and information disclosure.
Resolution
==========
Upgrade to 5.7.3p1-1.
# pacman -Syu "opensmtpd>=5.7.3p1-1"
The problems have been fixed upstream in version 5.7.3p1.
Workaround
==========
None.
Description
===========
- an oversight in the portable version of fgetln() that allows attackers
to read and write out-of-bounds memory
- multiple denial-of-service vulnerabilities that allow local users to
kill or hang OpenSMTPD
- a stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
- a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files
- a hardlink attack that allows local users to read the first line of
arbitrary files (for example, root's hash from /etc/master.passwd)
- a denial-of-service vulnerability that allows remote attackers to fill
OpenSMTPD's queue or mailbox hard-disk partition
- an out-of-bounds memory read that allows remote attackers to crash
OpenSMTPD, or leak information and defeat the ASLR protection
- a use-after-free vulnerability that allows remote attackers to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
- fix an mda buffer truncation bug which allows a user to create forward
files that pass session checks but fail delivery later down the chain,
within the user mda
- fix remote buffer overflow in unprivileged pony process
- reworked offline enqueue to better protect against hardlink attacks
Impact
======
A remote attacker is able to execute arbitrary code, crash the process
to perform a denial of service attack, read arbitrary memory to disclose
information and defeat ASLR or have other unspecified impact via various
vectors.
References
==========
https://access.redhat.com/security/cve/CVE-2015-7687
https://www.opensmtpd.org/announces/release-5.7.2.txt
https://www.opensmtpd.org/announces/release-5.7.3.txt
http://seclists.org/oss-sec/2015/q4/17
https://bugs.archlinux.org/task/46605
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151008/c5f1c6ff/attachment.asc>
More information about the arch-security
mailing list