Debian Bug report logs -
#572960
libesmtp does not check NULL bytes in commonNames of certificates
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 7 Mar 2010 20:27:01 UTC
Severity: grave
Tags: security, upstream
Fixed in version libesmtp/1.0.4-5
Done: jbouse@debian.org (Jeremy T. Bouse)
Bug is archived. No further changes may be made.
Forwarded to libesmtp@stafford.uklinux.net
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, jbouse@debian.org (Jeremy T. Bouse)
:
Bug#572960
; Package libesmtp
.
(Sun, 07 Mar 2010 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, jbouse@debian.org (Jeremy T. Bouse)
.
(Sun, 07 Mar 2010 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libesmtp
Severity: grave
Tags: security
Kees Cook reported this on the oss-security mailing list:
http://www.openwall.com/lists/oss-security/2010/03/03/6
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Information forwarded
to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse)
:
Bug#572960
; Package libesmtp
.
(Fri, 28 May 2010 01:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Sack <asac@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse)
.
(Fri, 28 May 2010 01:33:03 GMT) (full text, mbox, link).
Message #10 received at 572960@bugs.debian.org (full text, mbox, reply):
Any update on this security issue?
- Alexander
Information forwarded
to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse)
:
Bug#572960
; Package libesmtp
.
(Fri, 28 May 2010 05:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse)
.
(Fri, 28 May 2010 05:48:03 GMT) (full text, mbox, link).
Message #15 received at 572960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi all
On Fri, May 28, 2010 at 03:29:42AM +0200, Alexander Sack wrote:
> Any update on this security issue?
There was an ongoing discussion about that, in [1] still. RedHat
Bugtracker has two proposed patches too [2,3,4].
[1] http://thread.gmane.org/gmane.comp.security.oss.general/2637
[2] https://bugzilla.redhat.com/attachment.cgi?id=399130&action=diff
[3] https://bugzilla.redhat.com/attachment.cgi?id=399131&action=diff
[4] https://bugzilla.redhat.com/show_bug.cgi?id=571817
Some comments on this?
Bests
Salvatore
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug#572960.
(Fri, 28 May 2010 05:48:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse)
:
Bug#572960
; Package libesmtp
.
(Sun, 11 Jul 2010 20:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Jeremy T. Bouse" <jbouse@debian.org>
:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse)
.
(Sun, 11 Jul 2010 20:03:03 GMT) (full text, mbox, link).
Message #23 received at 572960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
forwarded 572960 libesmtp@stafford.uklinux.net
tags 572960 upstream
thanks
Brian,
I've had this bug [1] filed and given a grave status as it relates to
NULL bytes in the commonNames of certificates. I've not tried to dig
into it myself as I'm not that familiar with it but was merely
forwarding it on to you to look into. This has been assigned
CVE-2010-1192 and shows vulnerable in every version of libESMTP that is
within the Debian mirrors (1.0.3 and 1.0.4).
Regards,
Jeremy
1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572960
On 05/28/2010 01:45 AM, Salvatore Bonaccorso wrote:
> Hi all
>
> On Fri, May 28, 2010 at 03:29:42AM +0200, Alexander Sack wrote:
>> Any update on this security issue?
>
> There was an ongoing discussion about that, in [1] still. RedHat
> Bugtracker has two proposed patches too [2,3,4].
>
> [1] http://thread.gmane.org/gmane.comp.security.oss.general/2637
> [2] https://bugzilla.redhat.com/attachment.cgi?id=399130&action=diff
> [3] https://bugzilla.redhat.com/attachment.cgi?id=399131&action=diff
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=571817
>
> Some comments on this?
>
> Bests
> Salvatore
[signature.asc (application/pgp-signature, attachment)]
Set Bug forwarded-to-address to 'libesmtp@stafford.uklinux.net'.
Request was from "Jeremy T. Bouse" <jbouse@debian.org>
to control@bugs.debian.org
.
(Mon, 12 Jul 2010 14:09:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from "Jeremy T. Bouse" <jbouse@debian.org>
to control@bugs.debian.org
.
(Mon, 12 Jul 2010 14:09:03 GMT) (full text, mbox, link).
Reply sent
to jbouse@debian.org (Jeremy T. Bouse)
:
You have taken responsibility.
(Wed, 21 Jul 2010 04:18:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Wed, 21 Jul 2010 04:18:05 GMT) (full text, mbox, link).
Message #32 received at 572960-close@bugs.debian.org (full text, mbox, reply):
Source: libesmtp
Source-Version: 1.0.4-5
We believe that the bug you reported is fixed in the latest version of
libesmtp, which is due to be installed in the Debian FTP archive:
libesmtp-dev_1.0.4-5_i386.deb
to main/libe/libesmtp/libesmtp-dev_1.0.4-5_i386.deb
libesmtp5_1.0.4-5_i386.deb
to main/libe/libesmtp/libesmtp5_1.0.4-5_i386.deb
libesmtp_1.0.4-5.diff.gz
to main/libe/libesmtp/libesmtp_1.0.4-5.diff.gz
libesmtp_1.0.4-5.dsc
to main/libe/libesmtp/libesmtp_1.0.4-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 572960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy T. Bouse <jbouse@debian.org> (supplier of updated libesmtp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 Jul 2010 00:00:47 -0400
Source: libesmtp
Binary: libesmtp5 libesmtp-dev
Architecture: source i386
Version: 1.0.4-5
Distribution: unstable
Urgency: low
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Changed-By: Jeremy T. Bouse <jbouse@debian.org>
Description:
libesmtp-dev - LibESMTP SMTP client library development files
libesmtp5 - LibESMTP SMTP client library
Closes: 572960
Changes:
libesmtp (1.0.4-5) unstable; urgency=low
.
* debian/control: Updated Standards-Version to 3.9.0
* Fixes for CVE-2010-1192 handling NULL bytes (Closes: #572960) -
thanks to Jan Lieskovsky
Checksums-Sha1:
c05d78867d45011ac55f51a9c6596d8cf8a0b912 1214 libesmtp_1.0.4-5.dsc
c88e3977cabe90e7b954a000bb73d5f7ec817b7b 9039 libesmtp_1.0.4-5.diff.gz
ac8595f398f65bfd259e2288780cf6741314ecff 55730 libesmtp5_1.0.4-5_i386.deb
45402e306c7690c4823356ed0a750203395d17f6 55690 libesmtp-dev_1.0.4-5_i386.deb
Checksums-Sha256:
15765108a5cb355d7f984c5ffa63148cbf4ff53e5bdf0c5c338ab0614910cb2d 1214 libesmtp_1.0.4-5.dsc
48cf4125a396102d8c3c10e9591376a68f3a446b1c15b84403b37265949fba53 9039 libesmtp_1.0.4-5.diff.gz
11c14f4ba64b182232a1db72bb930cc5e9e71417890d917b7d8df132e233b949 55730 libesmtp5_1.0.4-5_i386.deb
18f6e36e6d9bf685d26992cd14d0fb3c82ab542b594b524220a0d2553ab4b982 55690 libesmtp-dev_1.0.4-5_i386.deb
Files:
99ba990448f47493bff28ab47e8d63ff 1214 libs optional libesmtp_1.0.4-5.dsc
c070f91890cc6df0aa18dc2268ecddb3 9039 libs optional libesmtp_1.0.4-5.diff.gz
e1c96530362294757aea613127828230 55730 libs optional libesmtp5_1.0.4-5_i386.deb
ce402e8c48e69e91fd456e2801a9fdcc 55690 libdevel optional libesmtp-dev_1.0.4-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkxGc7oACgkQ8C9U2GaKnteBAQEAp1CR8JfrCY5PoMPVUvNV+b0y
RFvtqDix79uuWQ1ybGsBAMftpHYTLH1RDr/DnwuFEWvaWRKR/Aqno82rN61+3EZy
=XqBv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Feb 2011 08:16:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:00:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.