Bug 776967 - VUL-0: CVE-2012-3523: inn: STARTTLS injection issue
VUL-0: CVE-2012-3523: inn: STARTTLS injection issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sles9-sp3-teradata:490...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-22 15:39 UTC by Marcus Meissner
Modified: 2012-09-14 12:09 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2012-08-22 15:39:08 UTC
is public, via oss-sec

CVE-2012-3523

From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command
Hello Kurt, Steve, vendors,

  the STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.

References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
[3] https://bugzilla.redhat.com/show_bug.cgi?id=850478

Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
Comment 1 Michael Schröder 2012-08-22 15:48:11 UTC
(not only in nnrpd/misc.c, but also nnrpd/sasl.c!)
Comment 2 Swamp Workflow Management 2012-08-22 22:00:20 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2012-08-30 13:44:26 UTC
The SWAMPID for this issue is 48986.
This issue was rated as moderate.
Please submit fixed packages until 2012-09-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Michael Schröder 2012-09-04 16:47:12 UTC
packages are submitted.
Comment 6 Michael Schröder 2012-09-05 09:26:22 UTC
Of course there are also SLE submits. But it seems like I forgot 11.4, that's still maintained, right?
Comment 7 Sebastian Krahmer 2012-09-11 12:07:03 UTC
Seems so, yes.
Comment 8 Swamp Workflow Management 2012-09-12 00:05:08 UTC
Update released for: inn, inn-debuginfo, mininews
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 9 Swamp Workflow Management 2012-09-12 00:08:31 UTC
Update released for: inn, inn-debuginfo, inn-debugsource, inn-devel, mininews
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 10 Swamp Workflow Management 2012-09-12 00:08:51 UTC
Update released for: inn, mininews
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 11 Swamp Workflow Management 2012-09-12 01:00:27 UTC
Update released for: inn, inn-debuginfo, inn-debugsource, inn-devel, mininews
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 12 Swamp Workflow Management 2012-09-12 01:09:04 UTC
Update released for: inn, inn-debuginfo, mininews
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 13 Marcus Meissner 2012-09-14 11:56:56 UTC
released
Comment 14 Swamp Workflow Management 2012-09-14 12:09:19 UTC
openSUSE-SU-2012:1171-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 776967,778439
CVE References: CVE-2012-CVE-2012-3523
Sources used:
openSUSE 12.2 (src):    inn-2.5.2-12.5.1
openSUSE 12.1 (src):    inn-2.5.2-9.4.1
openSUSE 11.4 (src):    inn-2.5.2-9.1