Debian Bug report logs -
#591515
CVE-2008-7258 buffer overflow
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Tue, 03 Aug 2010 17:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Tue, 03 Aug 2010 17:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: ssmtp
version: 2.64-4
severity: serious
tags: security
a buffer overflow in ssmtp:
https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
note that current code is slightly different than ubuntu, so its not
entirely clear whether debian is affected. please check.
thanks,
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Tue, 03 Aug 2010 18:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Tue, 03 Aug 2010 18:00:05 GMT) (full text, mbox, link).
Message #10 received at 591515@bugs.debian.org (full text, mbox, reply):
retitle 591515 CVE-2008-7258 buffer overflow
thanks
Changed Bug title to 'CVE-2008-7258 buffer overflow' from 'ssmtp: CVE-2010-7258 buffer overflow'
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Tue, 03 Aug 2010 18:00:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#591515
; Package ssmtp
.
(Mon, 09 Aug 2010 03:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anibal Monsalve Salazar <anibal@debian.org>
:
Extra info received and forwarded to list.
(Mon, 09 Aug 2010 03:45:03 GMT) (full text, mbox, link).
Message #17 received at 591515@bugs.debian.org (full text, mbox, reply):
On Tue, Aug 03, 2010 at 01:47:15PM -0400, Michael Gilbert wrote:
>package: ssmtp
>version: 2.64-4
>severity: serious
>tags: security
>
>a buffer overflow in ssmtp:
>https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
>
>note that current code is slightly different than ubuntu, so its not
>entirely clear whether debian is affected. please check.
>
>thanks,
>mike
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7258
CVE-2008-7258 at the address above seems empty.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7258
The web page above reads:
ERROR, "CVE-2008-7258" is valid CVE format, but CVE was not found.
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Mon, 09 Aug 2010 15:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Mon, 09 Aug 2010 15:15:06 GMT) (full text, mbox, link).
Message #22 received at 591515@bugs.debian.org (full text, mbox, reply):
On Sun, 8 Aug 2010 23:40:38 -0400, Anibal Monsalve Salazar wrote:
> On Tue, Aug 03, 2010 at 01:47:15PM -0400, Michael Gilbert wrote:
> >package: ssmtp
> >version: 2.64-4
> >severity: serious
> >tags: security
> >
> >a buffer overflow in ssmtp:
> >https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
> >
> >note that current code is slightly different than ubuntu, so its not
> >entirely clear whether debian is affected. please check.
> >
> >thanks,
> >mike
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7258
>
> CVE-2008-7258 at the address above seems empty.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7258
>
> The web page above reads:
>
> ERROR, "CVE-2008-7258" is valid CVE format, but CVE was not found.
that means that the info hasn't yet been populated in their database.
it was assigned on oss-security, and sometimes it takes a many days to
enter the database after that.
mike
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#591515
; Package ssmtp
.
(Tue, 10 Aug 2010 01:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anibal Monsalve Salazar <anibal@debian.org>
:
Extra info received and forwarded to list.
(Tue, 10 Aug 2010 01:27:03 GMT) (full text, mbox, link).
Message #27 received at 591515@bugs.debian.org (full text, mbox, reply):
On Mon, Aug 09, 2010 at 11:10:46AM -0400, Michael Gilbert wrote:
>that means that the info hasn't yet been populated in their database.
>it was assigned on oss-security, and sometimes it takes a many days to
>enter the database after that.
Please don't forget we're talking about CVE-2008-7258. A CVE from the
year 2008.
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Tue, 10 Aug 2010 01:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Tue, 10 Aug 2010 01:45:03 GMT) (full text, mbox, link).
Message #32 received at 591515@bugs.debian.org (full text, mbox, reply):
On Mon, 9 Aug 2010 21:25:37 -0400 Anibal Monsalve Salazar wrote:
> On Mon, Aug 09, 2010 at 11:10:46AM -0400, Michael Gilbert wrote:
> >that means that the info hasn't yet been populated in their database.
> >it was assigned on oss-security, and sometimes it takes a many days to
> >enter the database after that.
>
> Please don't forget we're talking about CVE-2008-7258. A CVE from the
> year 2008.
yes it is a 2008 issue, but it was only assigned an id a couple days
ago. they make date assignments based on discovery year; rather than
issue year.
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Sun, 22 Aug 2010 09:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Bruno <lucab@debian.org>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Sun, 22 Aug 2010 09:39:04 GMT) (full text, mbox, link).
Message #37 received at 591515@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 591515 + unreproducible
thanks
Hi,
Ubuntu bug-report was filed against 2.62 and contains a PoC/testcase.
Current squeeze and sid contain latest 2.64, and the aforementioned
testcase doesn't fail.
Moreover, as it seems to be an off-by-one error, I think it was fixed
in later versions, as ssmtp.c now accounts for it:
1385 if(vsnprintf(buf, (BUF_SZ - 1), format, ap) == -1) {
1386 die("smtp_write() -- vsnprintf() failed");
1387 }
I'm tagging as unreproducible, as Anibal would certainly have more
knowledge about this than me to close it.
Cheers, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG Key ID: 3BFB9FB3
`- http://www.debian.org | Debian GNU/Linux Developer
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) unreproducible.
Request was from Luca Bruno <lucab@debian.org>
to control@bugs.debian.org
.
(Sun, 22 Aug 2010 09:39:05 GMT) (full text, mbox, link).
Bug No longer marked as found in versions ssmtp/2.64-4.
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org
.
(Mon, 23 Aug 2010 06:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Sat, 04 Sep 2010 14:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Sat, 04 Sep 2010 14:12:06 GMT) (full text, mbox, link).
Message #46 received at 591515@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 591515 - security
severity 591515 normal
kthxbye
On Tue, Aug 3, 2010 at 13:47:15 -0400, Michael Gilbert wrote:
> package: ssmtp
> version: 2.64-4
> severity: serious
> tags: security
>
> a buffer overflow in ssmtp:
> https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
>
> note that current code is slightly different than ubuntu, so its not
> entirely clear whether debian is affected. please check.
>
Quoting the CVE description:
** DISPUTED ** The standardise function in Anibal Monsalve Salazar sSMTP
2.61 and 2.62 allows local users to cause a denial of service
(application exit) via an e-mail message containing a long line that
begins with a . (dot) character. NOTE: CVE disputes this issue because
it is solely a usability problem for senders of messages with certain
long lines, and has no security impact.
Downgrading.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Removed tag(s) security.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Sat, 04 Sep 2010 14:12:09 GMT) (full text, mbox, link).
Severity set to 'normal' from 'serious'
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Sat, 04 Sep 2010 14:12:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Tue, 18 Oct 2016 18:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx 2Day" <johnnie.curran@farahesab.org>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Tue, 18 Oct 2016 18:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Sun, 23 Oct 2016 02:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx 2Day" <sidney.barton@test.tbilision.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Sun, 23 Oct 2016 02:06:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Sun, 30 Oct 2016 14:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx International Ground" <max.harrington@raffiscateringandbanquet.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Sun, 30 Oct 2016 14:12:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Wed, 02 Nov 2016 08:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx Standard Overnight" <tricia.hozie@heartland.edu>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Wed, 02 Nov 2016 08:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Mon, 07 Nov 2016 00:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx Ground" <terry.kemp@genkiseika.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Mon, 07 Nov 2016 00:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Mon, 14 Nov 2016 04:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx SmartPost" <william.garcia@lacity.org>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Mon, 14 Nov 2016 04:33:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#591515
; Package ssmtp
.
(Sun, 20 Nov 2016 04:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "FedEx International Ground" <jerry@agclandscapes.com>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Sun, 20 Nov 2016 04:12:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.