Monday 22nd March 2010
Fedora Project
Finally created an update for the spamass-milter remote root arbitrary code vulnerability (CVE-2010-1132, Bug #572117, Bug #572119, Upstream Bug #29136). The update includes upstream's preliminary patch for the issue, which replaces the use of popen() (a function that spawns a shell to do most of its work, and hence requires careful sanitization of its input) with a new function popenv(), which has arguments similar to execv(), doesn't spawn a shell and doesn't need its input sanitizing. This preliminary patch appeared on 10th March and I tested it successfully by the 16th but nothing further has happened upstream since then. Debian issued a patched release on the 17th based on this patch. I have also reworked another patch already in the Fedora package to resolve Bug #532266 (bogus log messages about missing macros in the MTA configuration) and included that fix in this update.
Some notes on the vulnerability itself:
The milter is only vulnerable if used with the -x option to expand aliases and virtual users prior to passing recipient addresses to SpamAssassin
The -x option is not enabled by default in the Fedora package
Use of the -x option in Fedora requires that the milter runs as root, at least with Sendmail as the MTA; this is not the case in the Debian package because their Sendmail packages deviate from the recommendations in the upstream sendmail/SECURITY documentation regarding directory ownership and permissions for the mail queues
The Fedora spamass-milter initscript would need to be edited to be able to get the milter to run as root as the existing version is hard-coded to run as user sa-milt
The sample exploits mentioned in the original vulnerability report and lwn.net could work with Postfix as the MTA but Sendmail would reject these "addresses" prior to them reaching the milter with a "Cannot mail directly to programs" error; it is of course trivially easy to construct a variant that would work with Sendmail too - I'm not suggesting that Sendmail is any less vulnerable here
The vulnerability is much more difficult to exploit if the mail server is running SELinux enforcing (which it is by default in Fedora) because the milter is tightly constrained by SELinux policy; for instance, it cannot write files to /tmp and it cannot create outbound network connections to fetch an attacker's code; once the update is fully released, I will be able to tighten the policy further to prevent the milter executing a shell, as this was only needed because of the use of the popen() function
The vulnerability is almost identical to one affecting ClamAV in 2007 (CVE-2007-4560)
Since it's possible that users might actually want to use the -x option, the updated package allows a setting in /etc/sysconfig/spamass-milter to get the milter to run as root now, with that option off by default and discouraged from a security perspective in a comment in that file.
Local Packages
Updated perl-Exception-Class to 1.30 (add ability to create lightweight exceptions - CPAN RT#54826); as with other modules by Dave Rolsky, I now need to patch the test suite to get it to work on older distributions with Test::More < 0.88 due to the use of done_testing(), though at least I was able to drop the patch fixing the Makefile.PL in the previous version due to the use of a broken Module::Build::Compat to generate it. I also added buildreqs perl(Test::Spelling) and aspell-en for the spelling test and added a patch to add the missing words CPAN and Rolsky to the stopwords list.
Updated spamass-milter as per the Fedora package