Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement: tnef
  • From: Rainer Link <link@xxxxxxx>
  • Date: Tue, 11 Jul 2000 17:03:54 +0200 (CEST)
  • Message-id: <Pine.LNX.4.21.0007111644490.17517-100000@xxxxxxxxxxxxxx>
On Tue, 11 Jul 2000, Thomas Biege wrote:

> By specifing a path name like /etc/passwd and sending a compressed
> mail to root an adversary could gain remote root access to a system
> by overwriting the local password database.
> The same could happen if a mail virus scanner, like AMaVIS, process'
> a malicious mail.


AMaViS-Perl: not affected (we use a Perl module instead)
AMaViS versions below AMaViS-0.2.0-pre6-clm-rl-8-20000603 are not
affected, simply because TNEF support was introduced with this version.
If you run AMaViS with qmail or exim, you shouldn't be affected as AMaViS
does not run as root.

AMaViS 0.2.0-pre6-clm-rl-8-20000704 provides a fix for this problem.
Please look at http://sourceforge.net/projects/amavis for latest stuff.

I would like to thank Robert Valentan for reporting the bug to the AMaViS
Development Team.

best regards,
Rainer Link

--
Rainer Link, AntiVirus & Security, link@xxxxxxx, www.suse.de
Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/
Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/



< Previous Next >
References