#acl PaulHowarth:read,write,admin,revert,delete All:read === Monday 22nd March 2010 === ==== Fedora Project ==== Finally created an update for the `spamass-milter` remote root arbitrary code vulnerability ([[CVE:2010-1132|CVE-2010-1132]], [[RedHatBugzilla:572117|Bug #572117]], [[RedHatBugzilla:572119|Bug #572119]], [[https://savannah.nongnu.org/bugs/?29136|Upstream Bug #29136]]). The update includes upstream's preliminary patch for the issue, which replaces the use of `popen()` (a function that spawns a shell to do most of its work, and hence requires careful sanitization of its input) with a new function `popenv()`, which has arguments similar to `execv()`, doesn't spawn a shell and doesn't need its input sanitizing. This preliminary patch appeared on 10th March and I tested it successfully by the 16th but nothing further has happened upstream since then. Debian issued a patched release on the 17th based on this patch. I have also reworked another patch already in the Fedora package to resolve [[RedHatBugzilla:532266|Bug #532266]] (bogus log messages about missing macros in the MTA configuration) and included that fix in this update. Some notes on the vulnerability itself: * The milter is only vulnerable if used with the `-x` option to expand aliases and virtual users prior to passing recipient addresses to !SpamAssassin * The `-x` option is not enabled by default in the Fedora package * Use of the `-x` option in Fedora requires that the milter runs as `root`, at least with Sendmail as the MTA; this is not the case in the Debian package because their Sendmail packages deviate from the recommendations in the upstream `sendmail/SECURITY` documentation regarding directory ownership and permissions for the mail queues * The Fedora `spamass-milter` initscript would need to be edited to be able to get the milter to run as `root` as the existing version is hard-coded to run as user `sa-milt` * The sample exploits mentioned in the [[http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html|original vulnerability report]] and [[http://lwn.net/Articles/379604/|lwn.net]] could work with Postfix as the MTA but Sendmail would reject these "addresses" prior to them reaching the milter with a "Cannot mail directly to programs" error; it is of course trivially easy to construct a variant that would work with Sendmail too - I'm not suggesting that Sendmail is any less vulnerable here * The vulnerability is much more difficult to exploit if the mail server is running SELinux enforcing (which it is by default in Fedora) because the milter is tightly constrained by SELinux policy; for instance, it cannot write files to `/tmp` and it cannot create outbound network connections to fetch an attacker's code; once the update is fully released, I will be able to tighten the policy further to prevent the milter executing a shell, as this was only needed because of the use of the `popen()` function * The vulnerability is almost identical to one affecting ClamAV in 2007 ([[CVE:2007-4560|CVE-2007-4560]]) Since it's possible that users might actually ''want'' to use the `-x` option, the updated package allows a setting in `/etc/sysconfig/spamass-milter` to get the milter to run as `root` now, with that option off by default and discouraged from a security perspective in a comment in that file. ==== Local Packages ==== * Updated `perl-Exception-Class` to 1.30 (add ability to create lightweight exceptions - [[CPAN:54826|CPAN RT#54826]]); as with other modules by Dave Rolsky, I now need to patch the test suite to get it to work on older distributions with `Test::More` < 0.88 due to the use of `done_testing()`, though at least I was able to drop the patch fixing the `Makefile.PL` in the previous version due to the use of a broken `Module::Build::Compat` to generate it. I also added buildreqs `perl(Test::Spelling)` and `aspell-en` for the spelling test and added a patch to add the missing words `CPAN` and `Rolsky` to the stopwords list. * Updated `spamass-milter` as per the Fedora package ----