http://bugzilla.novell.com/show_bug.cgi?id=597673http://bugzilla.novell.com/show_bug.cgi?id=597673#c0
Summary: fetchmail: DoS in -v -v mode in multibyte
Classification: openSUSE
Product: openSUSE 11.3
Version: Factory
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
AssignedTo: puzel(a)novell.com
ReportedBy: lnussel(a)novell.com
QAContact: qa(a)suse.de
CC: security-team(a)suse.de
Found By: Other
Blocker: ---
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.
Factory only sufficient
------------------------------------------------------------------------------
Date: Sun, 18 Apr 2010 18:58:30 +0200
From: "Matthias Andree" <matthias.andree(a)gmx.de>
Subject: [oss-security] CVE request: fetchmail 4.6.3...6.3.16 DoS in -v -v mode
in multibyte
locales on invalid input
Please assign a CVE id for the issue described below. (Best viewed in
non-proportional font with 8 space tabs):
Draft announcement:
- DRAFT - XXX - DRAFT -
fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales
Topics: Denial of service in debug output.
Author: Matthias Andree
Version: 0.1 XXX
Announced: XXX
Type: malloc() Buffer overrun with printable characters
Impact: Denial of service.
Danger: low
CVE Name: CVE-2010-XXXX
CVSSv2: XXX
URL: http://www.fetchmail.info/fetchmail-SA-2010-02.txt
Project URL: http://www.fetchmail.info/
Affects: fetchmail releases 4.6.3 up to and including 6.3.16
Not affected: fetchmail release 6.3.17 and newer
Corrected: 2010-04-18 Git (XXX)
0. Release history
==================
2010-04-18 0.1 first draft (visible in SVN and through oss-security)
XXX
1. Background
=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.
2. Problem description and Impact
=================================
In debug mode (-v -v), fetchmail prints information that was obtained from
the
upstream server (POP3 UIDL lists) or from message headers retrieved from
it.
If printing such information fails, for instance because there are
invalid
multibyte character sequences in this information (message headers),
fetchmail
will misinterpret this condition, and believe that the buffer was too
small,
and reallocate a bigger one (with linearly increasing buffer size), and
repeat,
until the allocation fails. At that point, fetchmail will abort.
Note that the "Affects:" line above may be inaccurate, and it may be that
versions before 5.6.6 are actually unaffected. The author was unable to
compile such old fetchmail versions to verify the existence of the bug.
Given that other security issues are present in such versions, those
should
not be used, and the wider version range was listed as vulnerable to err
towards the safe.
3. Solution
===========
There are two alternatives, either of them by itself is sufficient:
a. Apply the patch found in section B of this announcement to
fetchmail 6.3.14 or newer, recompile and reinstall it.
b. Install fetchmail 6.3.17 or newer after it will have become available.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
4. Workaround
=============
Run fetchmail with at most one -v (--verbose) option.
A. Copyright, License and Warranty
==================================
(C) Copyright 2010 by Matthias Andree, <matthias.andree(a)gmx.de>.
Some rights reserved.
This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
B. Patch to remedy the problem
==============================
Note that when taking this from a GnuPG clearsigned file, the lines
starting with a "-" character are prefixed by another "- " (dash +
blank) combination. Either feed this file through GnuPG to strip them,
or strip them manually. You may want to use the "-p1" flag to patch.
Whitespace differences can usually be ignored by invoking "patch -l",
so try this if the patch does not apply.
diff --git a/rfc822.c b/rfc822.c
index 6f2dbf3..dbcda32 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the
demonstrator.
#include <stdlib.h>
#include "fetchmail.h"
+#include "sdump.h"
#ifndef MAIN
#include "i18n.h"
@@ -74,9 +75,10 @@ char *reply_hack(
}
#ifndef MAIN
- if (outlevel >= O_DEBUG)
- report_build(stdout, GT_("About to rewrite %.*s...\n"),
- (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_build(stdout, GT_("About to rewrite %s...\n"), (cp = sdump(buf,
BEFORE_EOL(buf))));
+ xfree(cp);
+ }
/* make room to hack the address; buf must be malloced */
for (cp = buf; *cp; cp++)
@@ -211,9 +213,12 @@ char *reply_hack(
}
#ifndef MAIN
- if (outlevel >= O_DEBUG)
- report_complete(stdout, GT_("...rewritten version is %.*s.\n"),
- (int)BEFORE_EOL(buf), buf);
+ if (outlevel >= O_DEBUG) {
+ report_complete(stdout, GT_("...rewritten version is %s.\n"),
+ (cp = sdump(buf, BEFORE_EOL(buf))));
+ xfree(cp)
+ }
+
#endif /* MAIN */
*length = strlen(buf);
return(buf);
diff --git a/uid.c b/uid.c
index fdc6f5d..d813bee 100644
--- a/uid.c
+++ b/uid.c
@@ -20,6 +20,7 @@
#include "fetchmail.h"
#include "i18n.h"
+#include "sdump.h"
/*
* Machinery for handling UID lists live here. This is mainly to support
@@ -260,8 +261,11 @@ void initialize_saved_lists(struct query *hostlist,
const char *idfile)
if (uidlcount)
{
report_build(stdout, GT_("Scratch list of UIDs:"));
- for (idp = scratchlist; idp; idp = idp->next)
- report_build(stdout, " %s", idp->id);
+ for (idp = scratchlist; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s", t);
+ free(t);
+ }
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
@@ -517,8 +521,11 @@ void uid_swap_lists(struct query *ctl)
report_build(stdout, GT_("Merged UID list from %s:"),
ctl->server.pollname);
else
report_build(stdout, GT_("New UID list from %s:"),
ctl->server.pollname);
- for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp =
idp->next)
- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = dofastuidl ? ctl->oldsaved : ctl->newsaved; idp; idp =
idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
+ free(t);
+ }
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
@@ -567,8 +574,11 @@ void uid_discard_new_list(struct query *ctl)
/* this is now a merged list! the mails which were seen in this
* poll are marked here. */
report_build(stdout, GT_("Merged UID list from %s:"),
ctl->server.pollname);
- for (idp = ctl->oldsaved; idp; idp = idp->next)
- report_build(stdout, " %s = %d", idp->id, idp->val.status.mark);
+ for (idp = ctl->oldsaved; idp; idp = idp->next) {
+ char *t = sdump(idp->id, strlen(idp->id));
+ report_build(stdout, " %s = %d", t, idp->val.status.mark);
+ free(t);
+ }
if (!idp)
report_build(stdout, GT_(" <empty>"));
report_complete(stdout, "\n");
--
Matthias Andree
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=712025https://bugzilla.novell.com/show_bug.cgi?id=712025#c0
Summary: openssh helpers wrongly uses %_libdir
Classification: openSUSE
Product: openSUSE 12.1
Version: Factory
Platform: x86-64
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Network
AssignedTo: bnc-team-screening(a)forge.provo.novell.com
ReportedBy: jengelh(a)medozas.de
QAContact: qa(a)suse.de
Found By: Beta-Customer
Blocker: ---
I had a openSUSE 11.4 i586 installation on one machine, and as I was upgrading
its hardware to a 64-bit CPU, I did a x86_64 reinstall, and copied over the
configs from the previous install. Among that was /etc/ssh/sshd_config.
After this, sftp was no longer usable ("Connection closed by host"), hinting
towards the helper not being executable. sshd_config, having been inherited
from a i586 environment, contained:
Subsystem sftp /usr/lib/ssh/sftp-server
However, the sftp helper was installed in /usr/lib64/ssh (%_libdir/ssh), which
I consider the wrong place, because the helper is bitness-independent and thus
should go to %_libexecdir/ssh instead.
The problem persists by looking at the current /network/openssh/openssh.spec.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=536564
Summary: Packages creating user accounts do not select UID
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: All
OS/Version: Linux
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Basesystem
AssignedTo: bnc-team-screening(a)forge.provo.novell.com
ReportedBy: jengelh(a)medozas.de
QAContact: qa(a)suse.de
Found By: Beta-Customer
Some packages, such as openssh, do explicitly specify a UID/GID when creating
its users/groups:
/usr/sbin/groupadd -g 65 -o -r sshd 2>/dev/null || :;
On the other hand, the hal package does not:
/usr/sbin/groupadd -r haldaemon 2>/dev/null || :
So, which is correct? Should not hal also use a fixed ID? There are many
packages belonging to the latter category.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238
Summary: openSSH chroot security settings faulty
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: x86
OS/Version: openSUSE 11.1
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Network
AssignedTo: bnc-team-screening(a)forge.provo.novell.com
ReportedBy: marcus(a)swedcore.net
QAContact: qa(a)suse.de
Found By: ---
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11)
Gecko/2009060200 SUSE/3.0.11-0.1.1 Firefox/3.0.11
Whenever i tried to setup a chroot environment with OpenSSH the security
settings for the user folder must be root or OpenSSH doesn't work, the only
solution for now is to either create subfolders in the users chroot folder
where the user can have write permissions or land them one step up in the
hierarchy and thus making them see other chroot folder which is not good.
I followed this Wiki page to the letter:
http://en.opensuse.org/Openssh#SFTP_chroot_with_ChrootDirectory
I have Swedish community users trying to set this up to with same result as me.
This thread takes up the same issue:
http://marc.info/?l=openssh-unix-dev&m=122640731518850&w=2
But the solution mentioned there is not acceptable because as it stats on the
Wiki you make one folder the chroot folder and then mapping the users home
folder relative to the chroot folder, in this scenario the users should get
write permissions to his own folder, but that is not possible, thus breaking
the functionality intended.
So the question is, is this a bug or is it designed to act like this?
Reproducible: Always
Steps to Reproduce:
Done accordingly to this wiki entry: http://en.opensuse.org/OpenSSH
Actual Results:
Gets a read only home folder root
Expected Results:
Getting a writable home folder, where they can create on folder and upload
files directly to the root of their home folder.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=712683https://bugzilla.novell.com/show_bug.cgi?id=712683#c0
Summary: disable ipv6 break ssh X11 tunnel
Classification: openSUSE
Product: openSUSE 12.1
Version: Milestone 3
Platform: All
OS/Version: SuSE Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
AssignedTo: bnc-team-screening(a)forge.provo.novell.com
ReportedBy: diego.ercolani(a)gmail.com
QAContact: qa(a)suse.de
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101
Firefox/5.0
When you disable ipv6 from the yast2 network, system correctly remove the
assignation of ipv6 addresses from everywhere but there is an annoying bug in
openssh that break the possibility to make X11 tunnels because it seems that
ssh try to bind X11 tunnel to an ipv6 address even with ipv6 disabled causing
this kind of message in /var/log/messages:
Aug 17 16:47:28 franz2011 sshd[6300]: error: Failed to allocate internet-domain
X11 display socket.
this can avoided configuring correctly the file /etc/ssh/sshd_config with the
parameter:
AddressFamily inet
and restarting sshd.
This is done in according to this bug reported to debian bugsystem:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422327#20
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=638893https://bugzilla.novell.com/show_bug.cgi?id=638893#c0
Summary: /usr/share/doc/packages/openssh/README.SuSE update
wanted
Classification: openSUSE
Product: openSUSE 11.3
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
AssignedTo: anicka(a)novell.com
ReportedBy: ke(a)novell.com
QAContact: qa(a)suse.de
Found By: Documentation
Blocker: ---
Please, update /usr/share/doc/packages/openssh/README.SuSE.
I guess, by now we can remove 9.1 and earlier items. Also please remove the
opener (Dear ...) and the closer (Your team).
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885
Summary: sshd fails to honour /etc/nologin presence when ssh
keys used during login
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.1
Status: NEW
Severity: Major
Priority: P5 - None
Component: Security
AssignedTo: security-team(a)suse.de
ReportedBy: liam.gretton(a)leicester.ac.uk
QAContact: qa(a)suse.de
Found By: ---
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
With the pam module pam_nologin in use, all non-root logins are supposed to be
prevented if the file /etc/nologin exists.
SSH fails to prevent user logins if /etc/nologin exists and the user
authenticates with a key. Authentications with a password are successfully
prevented, as expected.
Reproducible: Always
Steps to Reproduce:
1. Add pam_nologin to /etc/pam.d/login:
auth requisite pam_nologin.so
2. Create /etc/nologin
3. Log in via SSH with a password. Login will be correctly prevented.
4. Log in via SSH with a key. Login is successful.
Actual Results:
SSH login with a key is not prevented by pam_nologin.
Expected Results:
SSH login with a key should be prevented by pam_nologin when /etc/nologin is
present.
openssh-5.1p1-40.15
pam-1.0.2-13.4
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=506831
Summary: /etc/init.d/sshd: incorrect usage of daemonstartproc ?
Classification: openSUSE
Product: openSUSE 11.2
Version: Milestone 1
Platform: Other
OS/Version: Other
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Other
AssignedTo: anicka(a)novell.com
ReportedBy: puzel(a)novell.com
QAContact: qa(a)suse.de
Found By: Development
# /etc/init.d/sshd restart
Shutting down SSH daemon
Starting SSH daemonstartproc: option -p does not work in force mode
sshd daemon seems to work OK, though.
reproducible: always
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=625552http://bugzilla.novell.com/show_bug.cgi?id=625552#c0
Summary: openssh: inprove recommendation in "REMOTE HOST
IDENTIFICATION HAS CHANGED" message
Classification: openSUSE
Product: openSUSE 11.3
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Basesystem
AssignedTo: anicka(a)novell.com
ReportedBy: sbrabec(a)novell.com
QAContact: qa(a)suse.de
Found By: ---
Blocker: ---
When remote host identification changes, following message appears:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
................
Please contact your system administrator.
Add correct host key in /home/sbrabec/.ssh/known_hosts to get rid of this
message.
Offending key in /home/sbrabec/.ssh/known_hosts:1
RSA host key for ben has changed and you have requested strict checking.
Host key verification failed.
Following the message and opened known_hosts file, I found just an ASCII noise.
Well, I tried to delete line 1 (guessing from the error message) and got this
message:
The authenticity of host 'foo (...)' can't be established.
RSA key fingerprint is ............
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'foo' (RSA) to the list of known hosts.
Warning: the RSA host key for foo' differs from the key for the IP address
'...'
Offending key for IP in /home/sbrabec/.ssh/known_hosts:1
Are you sure you want to continue connecting (yes/no)? yes
It would be nice to change the messsage and offer ssh-keygen -R or so.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.