Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200606-09 ] SpamAssassin: Execution of arbitrary code
Date: Sun, 11 Jun 2006 20:34:31
Message-Id: 200606112142.39639.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200606-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: SpamAssassin: Execution of arbitrary code
9 Date: June 11, 2006
10 Bugs: #135746
11 ID: 200606-09
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 SpamAssassin, when running with certain options, could allow local or
19 even remote attackers to execute arbitrary commands, possibly as the
20 root user.
21
22 Background
23 ==========
24
25 SpamAssassin is an extensible email filter used to identify junk email.
26 spamd is the daemonized version of SpamAssassin.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 mail-filter/spamassassin < 3.1.3 >= 3.1.3
35
36 Description
37 ===========
38
39 When spamd is run with both the "--vpopmail" (-v) and "--paranoid" (-P)
40 options, it is vulnerable to an unspecified issue.
41
42 Impact
43 ======
44
45 With certain configuration options, a local or even remote attacker
46 could execute arbitrary code with the rights of the user running spamd,
47 which is root by default, by sending a crafted message to the spamd
48 daemon. Furthermore, the attack can be remotely performed if the
49 "--allowed-ips" (-A) option is present and specifies non-local
50 adresses. Note that Gentoo Linux is not vulnerable in the default
51 configuration.
52
53 Workaround
54 ==========
55
56 Don't use both the "--paranoid" (-P) and the "--vpopmail" (-v) options.
57
58 Resolution
59 ==========
60
61 All SpamAssassin users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.3"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2006-2447
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-200606-09.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 http://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2006 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.5