Ubuntu
amavisd-new package

Amavisd crashes when calling external command /usr/bin/altermime after updated to 2.12.2-1ubuntu1.1

Bug #2067460 reported by Zhang Huangbin

This bug report will be marked for expiration in 40 days if no further activity occurs. (find out why)

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
amavisd-new (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Everything worked fine before upgrading Amavisd-new to 2.12.2-1ubuntu1.1 which is a security update:
https://changelogs.ubuntu.com/changelogs/pool/main/a/amavisd-new/amavisd-new_2.12.2-1ubuntu1.1/changelog

After upgraded package without changing any config files, Amavisd crashes while calling /usr/bin/altermime to append disclaimer text, the error message is "Insecure dependency in exec while running with -T switch".

Postfix + amavisd log:

May 29 10:27:13 mail1 postfix/10025/smtpd[30514]: connect from mail1.example.com[127.0.0.1]
May 29 10:27:13 mail1 postfix/10025/smtpd[30514]: 4Vq2YY0jWQzcR70: client=mail1.example.com[127.0.0.1]
May 29 10:27:13 mail1 postfix/cleanup[39132]: 4Vq2YY0jWQzcR70: message-id=<06cb01dab1a1$fb93cf30$f2bb6d90$@example.com>
May 29 10:27:13 mail1 postfix/10025/smtpd[30514]: disconnect from mail1.example.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 29 10:27:13 mail1 postfix/qmgr[2468]: 4Vq2YY0jWQzcR70: from=<email address hidden>, size=8419, nrcpt=1 (queue active)
May 29 10:27:13 mail1 amavis[39626]: (39626-09) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [2.115.8.214]:58545 [2.115.8.214] ESMTP/ESMTP <email address hidden> -> <email address hidden>, (ESMTPSA://[2.115.8.214]:58545), Queue-ID: 4Vq2YX6Bw3zcR4K, Message-ID: <06cb01dab1a1$fb93cf30$f2bb6d90$@example.com>, mail_id: iMj_PjHp0r5u, b: _O4g8hChr, Hits: -, size: 7058, queued_as: 4Vq2YY0jWQzcR70, Subject: "xxxxxxx", From: <email address hidden>, X-Mailer: Microsoft_Outlook_16.0, helo=xxxx, dkim_new=dkim:example.com, 86 ms
May 29 10:27:13 mail1 postfix/amavis/smtp[39622]: 4Vq2YX6Bw3zcR4K: to=<email address hidden>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.28, delays=0.19/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Vq2YY0jWQzcR70)
May 29 10:27:13 mail1 postfix/pipe[37537]: 4Vq2YY0jWQzcR70: to=<email address hidden>, relay=dovecot, delay=0.02, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
May 29 10:27:13 mail1 postfix/qmgr[2468]: 4Vq2YY0jWQzcR70: removed
May 29 10:27:13 mail1 amavis[40862]: (39626-10) (!)run_command: child process [40862]: Insecure dependency in exec while running with -T switch at /usr/sbin/amavisd-new line 4897.
May 29 10:27:13 mail1 amavis[39626]: (39626-10) (!!)collect_results from [40862] (/usr/bin/altermime): exit 3
May 29 10:27:13 mail1 amavis[39626]: (39626-10) (!)mangling by altermime failed: Program /usr/bin/altermime failed: 768, at /usr/sbin/amavisd-new line 17419., mail will pass unmodified

CVE References

Revision history for this message
Paride Legovini (paride) wrote :

Hello and thanks for this bug report. While the security update did introduce a change in amavisd behavior ([1] is how upstream describe the change), I am unable to tell if the problem comes directly or only from amavisd, or if some other package/component is involved (altermime?).

Would it be possible for you to experiment by downgrading amavisd-new to its previous version, and check if the problem goes away? This should be feasible by running:

  apt install amavisd-new=1:2.12.2-1ubuntu1

This will help understanding if it is indeed amavisd-new to be problematic, or some other package that got upgraded together with it. Thanks!

[1] https://gitlab.com/amavis/amavis/-/blob/master/README_FILES/README.CVE-2024-28054?ref_type=heads

Changed in amavisd-new (Ubuntu):
status: New → Incomplete
Revision history for this message
damluk (damluk) wrote :

Did you forget to modify it again?

https://lists.amavis.org/pipermail/amavis-users/2012-July/001655.html

Revision history for this message
Zhang Huangbin (michaelbibby) wrote :

Hi @damluk,

This is irrelevant, no config file modified before upgrading amavisd package.

Revision history for this message
damluk (damluk) wrote :

It is not irrelevant, because the suggested modification in that mail thread was in the amavisd executable, which will be overwritten by a package upgrade.

Revision history for this message
Zhang Huangbin (michaelbibby) wrote :

The link in your first reply happened 12 YEARS ago, and things changed a lot.

We run Amavisd-new without modifying its (Perl) source code since day one, and just updating its config file `/etc/amavis/conf.d/50-user` to implement features we need.

Revision history for this message
damluk (damluk) wrote :

Then please share a config file that can reproduce the problem. The CVE patch is not related to taint mode, though.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.