Gentoo Linux

<inn-2.5.3 - plaintext command injection during the negotiation of a TLS layer

Bug #1039881 reported by Karma Dorje on 2012-08-22

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Gentoo Linux	Fix Released	Low	gentoo-bugs #432002
	inn2 (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

The STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.

References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
[3] https://bugzilla.redhat.com/show_bug.cgi?id=850478

Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz

Tags:

CVE References

Revision history for this message

In Gentoo Bugzilla #432002, Jeroen Roovers (jer-gentoo) wrote on 2012-08-20:

* Fixed a possible plaintext command injection during the negotiation of
    a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the
    STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer
    upon a successful negotiation of a TLS layer. It prevents malicious
    commands, sent unencrypted, from being executed in the new encrypted
    state of the session.

Revision history for this message

In Gentoo Bugzilla #432002, Jeroen Roovers (jer-gentoo) wrote on 2012-08-20:

Arch teams, please test and mark stable:
=net-nntp/inn-2.5.3
Stable KEYWORDS : amd64 ppc x86

Karma Dorje (taaroa) on 2012-08-22

tags:	added: upgrade-software-version
Changed in inn (Ubuntu):
status:	New → Confirmed

Revision history for this message

In Gentoo Bugzilla #432002, J-ago (j-ago) wrote on 2012-08-22:

amd64 stable

Bug Watch Updater (bug-watch-updater) on 2012-08-23

Changed in gentoo:
importance:	Unknown → Medium

Jamie Strandboge (jdstrand) on 2012-08-23

visibility:	private → public
affects:	inn (Ubuntu) → inn2 (Ubuntu)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-08-23:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. This is fixed in 2.5.3-1 on 12.10. For the earlier releases, if you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Changed in inn2 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

In Gentoo Bugzilla #432002, Phajdan-jr (phajdan-jr) wrote on 2012-08-30:

x86 stable

Revision history for this message

In Gentoo Bugzilla #432002, Jeroen Roovers (jer-gentoo) wrote on 2012-10-03:

ping

Revision history for this message

In Gentoo Bugzilla #432002, Jeroen Roovers (jer-gentoo) wrote on 2012-10-27:

ppc64?

Revision history for this message

In Gentoo Bugzilla #432002, Ranger-z (ranger-z) wrote on 2012-11-20:

ppc done

Revision history for this message

In Gentoo Bugzilla #432002, Glsamaker (glsamaker) wrote on 2012-11-20:

CVE-2012-3523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523):
  The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly
  restrict I/O buffering, which allows man-in-the-middle attackers to insert
  commands into encrypted sessions by sending a cleartext command that is
  processed after TLS is in place, related to a "plaintext command injection"
  attack, a similar issue to CVE-2011-0411.

Revision history for this message

In Gentoo Bugzilla #432002, Ackle (ackle) wrote on 2012-11-20:

#10

Thanks, everyone.

GLSA vote: yes.

Revision history for this message

In Gentoo Bugzilla #432002, Craig-gentoo (craig-gentoo) wrote on 2012-12-16:

#11

Yes, created GLSA request.

Revision history for this message

In Gentoo Bugzilla #432002, Michael (kensington) wrote on 2013-04-08:

#12

Nothing else to do for net-news here.

Bug Watch Updater (bug-watch-updater) on 2013-09-12

Changed in gentoo:
importance:	Medium → Low

Revision history for this message

In Gentoo Bugzilla #432002, Glsamaker (glsamaker) wrote on 2014-01-21:

#13

This issue was resolved and addressed in
GLSA 201401-24 at http://security.gentoo.org/glsa/glsa-201401-24.xml
by GLSA coordinator Chris Reffett (creffett).

Bug Watch Updater (bug-watch-updater) on 2014-01-23

Changed in gentoo:
status:	Unknown → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

gentoo-bugs #432002
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.