Ubuntu
ssmtp package

ssmtp dies with standardise() -- Buffer overflow

Bug #282424 reported by Brendan Boerner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ssmtp (Ubuntu)
Fix Released
Undecided
Nicolas Valcarcel

Bug Description

Binary package hint: ssmtp

A line which begins with a period ('.') and is BUZ_SZ - 1 (e.g. 2047) or longer in length (not counting \n) will die() with:

ssmtp: standardise() -- Buffer overflow

This is a specific case. The general case is if a buffer passed into standardise() begins with a period and is BUF_SZ - 1 bytes in length will produce this error.

I think the fix is to call fgets() with sizeof(buf) - 2 instead of sizeof(buf) in ssmtp().

With this fix another problem is that in the sent e-mail the line is truncated by two bytes. The fix is to use (BUF_SZ) in smtp_write() instead of (BUF_SZ - 2).

Index: ssmtp.c
===================================================================
--- ssmtp.c (revision 57)
+++ ssmtp.c (working copy)
@@ -1361,7 +1361,7 @@
  ssize_t outbytes = 0;

  va_start(ap, format);
- if(vsnprintf(buf, (BUF_SZ - 2), format, ap) == -1) {
+ if(vsnprintf(buf, BUF_SZ, format, ap) == -1) {
   die("smtp_write() -- vsnprintf() failed");
  }
  va_end(ap);
@@ -1628,7 +1628,7 @@

  /* don't hang forever when reading from stdin */
  while(!feof(stdin) && timeout < MEDWAIT) {
- if (!fgets(buf, sizeof(buf), stdin)) {
+ if (!fgets(buf, sizeof(buf)-2, stdin)) {
    /* if nothing was received, then no transmission
     * over smtp should be done */
    sleep(1);

Revision history for this message
Brendan Boerner (brendan-karakhorum) wrote :
Revision history for this message
Brendan Boerner (brendan-karakhorum) wrote :

I mislabaled test_cast.001. The correct description should be:

Demonstrate that a line which is BUZ_SZ - 1 in length (not counting \n) beginning with a period will die().

Revision history for this message
Brendan Boerner (brendan-karakhorum) wrote :
Revision history for this message
Brendan Boerner (brendan-karakhorum) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ssmtp - 2.62-1ubuntu3

---------------
ssmtp (2.62-1ubuntu3) intrepid; urgency=low

  * SECURITY UPDATE: allow remote attackers to obtain sensitive
    information (LP: #278978)
  * debian/patches/02-CVE-2008-3962: adjust in ssmtp.c to fix
    unitialized memory disclosure.
  * SECURITY UPDATE: Buffer overflow (LP: #282424)
  * debian/patches/03_fix_buffer_overflow: adjust ssmtp.c to fix
    a buffer overflow with using 2 bytes in length instead of one in buffer.
  * References:
    CVE-2008-3962
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498366

 -- Stefan Ebner <email address hidden> Tue, 07 Oct 2008 16:22:39 +0200

Changed in ssmtp:
status: New → Fix Released
Revision history for this message
Brendan Boerner (brendan-karakhorum) wrote :

The fix for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498366 does not address this bug.

Changed in ssmtp:
status: Fix Released → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Published in the -security pocket now.

Changed in ssmtp:
assignee: nobody → nvalcarcel
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.