[arch-security] [ASA-201510-5] opensmtpd: multiple issues

Levente Polyak anthraxx at archlinux.org
Thu Oct 8 19:19:29 UTC 2015

Arch Linux Security Advisory ASA-201510-5

Severity: Critical
Date    : 2015-10-08
CVE-ID  : CVE-2015-7687
Package : opensmtpd
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package opensmtpd before version 5.7.3p1-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution, denial of
service and information disclosure.


Upgrade to 5.7.3p1-1.

# pacman -Syu "opensmtpd>=5.7.3p1-1"

The problems have been fixed upstream in version 5.7.3p1.




- an oversight in the portable version of fgetln() that allows attackers
  to read and write out-of-bounds memory

- multiple denial-of-service vulnerabilities that allow local users to
  kill or hang OpenSMTPD

- a stack-based buffer overflow that allows local users to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user

- a hardlink attack (or race-conditioned symlink attack) that allows
  local users to unset the chflags() of arbitrary files

- a hardlink attack that allows local users to read the first line of
  arbitrary files (for example, root's hash from /etc/master.passwd)

- a denial-of-service vulnerability that allows remote attackers to fill
  OpenSMTPD's queue or mailbox hard-disk partition

- an out-of-bounds memory read that allows remote attackers to crash
  OpenSMTPD, or leak information and defeat the ASLR protection

- a use-after-free vulnerability that allows remote attackers to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user

- fix an mda buffer truncation bug which allows a user to create forward
  files that pass session checks but fail delivery later down the chain,
  within the user mda

- fix remote buffer overflow in unprivileged pony process

- reworked offline enqueue to better protect against hardlink attacks


A remote attacker is able to execute arbitrary code, crash the process
to perform a denial of service attack, read arbitrary memory to disclose
information and defeat ASLR or have other unspecified impact via various



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151008/c5f1c6ff/attachment.asc>

More information about the arch-security mailing list