|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2005-0337: Postfix, permit_mx_backup, IPv6, chroot --> Open Relay! | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Ludwig Nussel <lnussel> |
| Component: | Incidents | Assignee: | Ludwig Nussel <lnussel> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | p.heinlein, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2005-0337: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
proc2chroot.patch
Patch from Dean Strik |
||
|
Description
Peer Heinlein
2004-12-21 06:37:20 UTC
<!-- SBZ_reproduce --> Install 9.1, run smtpd chrooted, use permit_max_backup in smtpd_*_restrictions and try to relay mail to foo@eu.org. Postfix will act as an Open Relay where it should reject the mail with "Relay Access denied". Well, 2.1.1 is the version on 9.1 and SLES9, but 2.1.1 also has this bug. As you already don't run 2.1.1 anymore, I would suggest to upgrade to 2.1.5, which doesn't seem to have this bug anymore. I'll do a backport of the fix meanwhile comment #2 is wrong, 2.1.5 also does not work That bug is also in SLES9, moving it to SLES9 because of it's importance Created attachment 27247 [details]
proc2chroot.patch
patch to SuSEconfig.postfix to mount proc into the chroot jail
I will discuss that problem on the ipv6 and/or postfix list when I'm back from vacation. Dean Strik, the author of the IPv6 Postfix-patch wrote me:
You'll need to mount /proc in the chroot then as a workaround. The
alternative (but not yet implemented) fix is that the file is read
before entering the chroot. This has been on my todo list, but haven't
done it yet.
> So Postfix relays mail to all *destinations* that have IPv6-records
> set, if smtpd runs chrooted and if /proc/net/if_inet6 isn`t readable.
Found it. A programming error on my part. Patch attached. Please let me
know if it works correctly.
Created attachment 27308 [details]
Patch from Dean Strik
Patch should fixes bug in Postfix, a nonworking check of IPv6-address of the
server shouldn`t give a positive result for permit_mx_backup any more.
The fix is working. I would recomment to make a maintenance update for SLES9 Ralf? reassigning fixes submitted Wietse Venema wrote me: FYI, while adopting and rewriting the IPv6 patch, this problem was eliminated by always accessing /proc before a process chroots. I inserted an own_inet_addr_list() call in mail_params_init(), so that the call is done even when mynetworks is specified in main.cf. The result is now running on my main server. Btw: I wouldn`t be angry if "Peer Heinlein, http://www.heinlein-support.de" could be named as the discoverer of the bug if you publish a Security Announcement. <!-- SBZ_reopen -->Reopened by lnussel@suse.de at Fri Jan 14 17:08:11 2005, took initial reporter p.heinlein@jpberlin.de to cc I wrote a mail to Dean Strik to request delay of public disclosure so I can notify vendor-sec and give THEM a chance to fix it as well. Do you mind delaying the disclosure if Dean didn't disclose it already? No. Any news for this issue? A new disclosure date or something. Any news? This fix also blocks two other fixes (49695 and 49760) Ludwig? I've just written another mail to Dean Strik as he wanted to notify vendor-sec updates approved. make it visible for externals too. CAN-2005-0337 CVE-2005-0337: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |