ArchLinux: 201510-5: opensmtpd: multiple issues
Summary
- an oversight in the portable version of fgetln() that allows attackers
to read and write out-of-bounds memory
- multiple denial-of-service vulnerabilities that allow local users to
kill or hang OpenSMTPD
- a stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
- a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files
- a hardlink attack that allows local users to read the first line of
arbitrary files (for example, root's hash from /etc/master.passwd)
- a denial-of-service vulnerability that allows remote attackers to fill
OpenSMTPD's queue or mailbox hard-disk partition
- an out-of-bounds memory read that allows remote attackers to crash
OpenSMTPD, or leak information and defeat the ASLR protection
- a use-after-free vulnerability that allows remote attackers to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
- fix an mda buffer truncation bug which allows a user to create forward
files that pass session checks but fail delivery later down the chain,
within the user mda
- fix remote buffer overflow in unprivileged pony process
- reworked offline enqueue to better protect against hardlink attacks
Resolution
Upgrade to 5.7.3p1-1.
# pacman -Syu "opensmtpd>=5.7.3p1-1"
The problems have been fixed upstream in version 5.7.3p1.
References
https://access.redhat.com/security/cve/CVE-2015-7687 https://www.opensmtpd.org/announces/release-5.7.2.txt https://www.opensmtpd.org/announces/release-5.7.3.txt https://seclists.org/oss-sec/2015/q4/17 https://bugs.archlinux.org/task/46605
Workaround
None.