Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200405-17 ] Multiple vulnerabilities in metamail
Date: Fri, 21 May 2004 19:42:49
Message-Id: 40AE5B5D.7060706@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200405-17
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: Multiple vulnerabilities in metamail
12 Date: May 21, 2004
13 Bugs: #42133
14 ID: 200405-17
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Several format string bugs and buffer overflows were discovered in
22 metamail, potentially allowing execution of arbitrary code remotely.
23
24 Background
25 ==========
26
27 Metamail is a program that decodes MIME encoded mail. It is therefore
28 often automatically called when an email is received or read.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 net-mail/metamail < 2.7.45.3 >= 2.7.45.3
37
38 Description
39 ===========
40
41 Ulf Harnhammar found two format string bugs and two buffer overflow
42 bugs in Metamail.
43
44 Impact
45 ======
46
47 A remote attacker could send a malicious email message and execute
48 arbitrary code with the rights of the process calling the Metamail
49 program.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All users of Metamail should upgrade to the latest stable version:
60
61 # emerge sync
62
63 # emerge -pv ">=net-mail/metamail-2.7.45.3"
64 # emerge ">=net-mail/metamail-2.7.45.3"
65
66 References
67 ==========
68
69 [ 1 ] CAN-2004-0104
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0104
71 [ 2 ] CAN-2004-0105
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0105
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-200405-17.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 http://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2004 Gentoo Technologies, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/1.0
101
102 -----BEGIN PGP SIGNATURE-----
103 Version: GnuPG v1.2.4 (GNU/Linux)
104 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
105
106 iD8DBQFArltcvcL1obalX08RArLOAJ9YFERhJfcJrzZthA7HVjbLmyxazwCgqghl
107 l/eXbhtKh4BVtCGmVPSD2zs=
108 =GdJa
109 -----END PGP SIGNATURE-----