You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Grant <mg...@grant.org> on 2015/06/10 22:21:38 UTC
spamass-milter and email addresses starting with --
I'm running Debian, sendmail, spamass-milter, spamc and spamd.
I saw this in my log:
Jun 9 20:30:29 debian sm-mta[15942]: t5A0ULAA015942: to=<--user@example.com
>
then I saw this:
Jun 9 20:30:29 strange spamc[15947]: invalid usage
Jun 9 20:30:29 strange spamass-milter[1770]: Thrown error: poll says my
write pipe is busted
That seems pretty scary that someone can send to a user which begins with
-- and fake out spamc that it's a command line option.
Re: spamass-milter and email addresses starting with --
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 6/10/2015 4:42 PM, Michael Grant wrote:
> I'm using 0.3.2 which seems to be the latest version available for
> Debian. It does appear that 0.4.0 hasn't hit Debian yet.
If I am reading the code correctly, the only change in 0.3.2 to 0.4.0 in
the relevant section is to use strdup, i.e.
// XXX arbitrary 100-argument max
int argc = 0;
char** argv = (char**) malloc(100*sizeof(char*));
- argv[argc++] = SPAMC;
+ argv[argc++] = strdup(SPAMC);
if (flag_sniffuser)
{
- argv[argc++] = "-u";
+ argv[argc++] = strdup("-u");
if ( expandedrcpt.size() != 1 )
{
// More (or less?) than one recipient, so we pass the default
@@ -46,7 +46,7 @@
}
if (spamdhost)
{
- argv[argc++] = "-d";
+ argv[argc++] = strdup("-d");
argv[argc++] = spamdhost;
}
if (spamc_argc)
Regards,
KAM
Re: spamass-milter and email addresses starting with --
Posted by Michael Grant <mg...@grant.org>.
I'm using 0.3.2 which seems to be the latest version available for Debian.
It does appear that 0.4.0 hasn't hit Debian yet.
On Wed, Jun 10, 2015 at 10:34 PM, David B Funk <dbfunk@engineering.uiowa.edu
> wrote:
> On Wed, 10 Jun 2015, Michael Grant wrote:
>
> I'm running Debian, sendmail, spamass-milter, spamc and spamd.
>>
>> I saw this in my log:
>> Jun 9 20:30:29 debian sm-mta[15942]: t5A0ULAA015942: to=<--
>> user@example.com>
>> then I saw this:
>>
>> Jun 9 20:30:29 strange spamc[15947]: invalid usage
>> Jun 9 20:30:29 strange spamass-milter[1770]: Thrown error: poll says my
>> write pipe is busted
>> That seems pretty scary that someone can send to a user which begins with
>> -- and fake out spamc that it's a command
>> line option.
>>
>
> What version of spamass-milter are you using?
> Older versions of spamass-milter used a "system" call to invoke "spamc"
> and feed it messages, thus had a glaring security vulnerability.
>
> That was fixed a while ago, you need to update your spamass-milter.
>
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
Re: spamass-milter and email addresses starting with --
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 6/10/2015 4:34 PM, David B Funk wrote:
>
> What version of spamass-milter are you using?
> Older versions of spamass-milter used a "system" call to invoke "spamc"
> and feed it messages, thus had a glaring security vulnerability.
>
> That was fixed a while ago, you need to update your spamass-milter.
Are you sure a newer version fixes the issue?
I checked 0.1.3a (has to be 13 years old) and 0.4.0 (the latest) and
both appear to use the same execvp call for spamc and the function for
full_user doesn't appear to have anything sanitizing this case.
According to http://savannah./gnu/./org//projects/spamass-milt/, 0.4.0
is the latest.
regards,
KAM
Re: spamass-milter and email addresses starting with --
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 10 Jun 2015, Michael Grant wrote:
> I'm running Debian, sendmail, spamass-milter, spamc and spamd.
>
> I saw this in my log:
> Jun 9 20:30:29 debian sm-mta[15942]: t5A0ULAA015942: to=<--...@example.com>
> then I saw this:
>
> Jun 9 20:30:29 strange spamc[15947]: invalid usage
> Jun 9 20:30:29 strange spamass-milter[1770]: Thrown error: poll says my write pipe is busted
> That seems pretty scary that someone can send to a user which begins with -- and fake out spamc that it's a command
> line option.
What version of spamass-milter are you using?
Older versions of spamass-milter used a "system" call to invoke "spamc"
and feed it messages, thus had a glaring security vulnerability.
That was fixed a while ago, you need to update your spamass-milter.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: spamass-milter and email addresses starting with --
Posted by RW <rw...@googlemail.com>.
On Wed, 10 Jun 2015 22:21:38 +0200
Michael Grant wrote:
> I'm running Debian, sendmail, spamass-milter, spamc and spamd.
>
> I saw this in my log:
>
> Jun 9 20:30:29 debian sm-mta[15942]: t5A0ULAA015942:
> to=<--user@example.com
> >
>
> then I saw this:
>
> Jun 9 20:30:29 strange spamc[15947]: invalid usage
> Jun 9 20:30:29 strange spamass-milter[1770]: Thrown error: poll says
> my write pipe is busted
>
> That seems pretty scary that someone can send to a user which begins
> with -- and fake out spamc that it's a command line option.
To be fair spamc caught it. The only scope for remote abuse is if the
sender can force you to pass more than one parameter.