[hypermail] Hypermail Security Fixes

From: Peter C. McCluskey <pcm_at_rahul.net_at_hypermail-project.org>
Date: Thu, 27 Feb 2003 10:00:47 -0800 (PST)
Message-Id: <20030227180047.1BF0B2B54C_at_mauve.rahul.net>

 Version 2.1.7 is now available on Sourceforge: http://prdownloads.sourceforge.net/hypermail/hypermail-2.1.7.tar.gz

SUMMARY:  It should be understood that no known exploits exist at present for the security issues listed below. This proactive review of the code was taken to better secure hypermail. It is unclear whether any exploits were possible on a typical installation.

Problems in utility programs other than the main Hypermail binary:

  Temp file race conditions were potentially possible in msg2archive.c and in mbox2hypermail.c (in the archive directory). They have been corrected.

 popen was used in the mail utility and the archive/msg2archive utility. msg2archive usage: The 'msg2archive' utility can be useful for archiving

    mail into mailboxes as well as calling hypermail. In order to be     exploited, the administrator would have had to install it with special     privileges (such as setuid) which has never been needed or suggested.     The level of potential exposure is low. Nevertheless, the utility has     been modified to better protect against abuse. Mail usage: The 'mail' utility was not installed by default and has not

    been for the last two years. In any case, the hypermail development     team has determined that the 'mail' utility is a historic relic and     will not be supplied in future versions. Its functionality has been     replaced with a warning that anyone using it should remove it immediately.

Security-related changes to the main Hypermail program:

 Fixed a possible buffer overflow with long filenames in uuencoded attachments. This appears to have been a risk only on systems where MAXPATHLEN or PATH_MAX was defined in system headers to be less than 1024.

 Disabled conversion of file:// into href - it seemed to allow anyone who could access the web server via localhost to read any file that the web server had permission to read rather than just files in the archive directory.

 Fixed and replaced various non-bound-checking code parts to avoid possible code execution or denial-of-service conditions.

 Replaced sprintfs with snprintfs to do bounds checking in places where it was hard to tell whether buffer overflows were possible.

 Limited the length of "Subject" and alike to avoid denial of service attacks while calling alloc.

Changes unrelated to security:
 Fixed decoding of non-ascii headers.
 Fixed append option (was discarding some lines).  Fixed random core dumps with files_by_thread option.  Fixed compile problems on SunOS and Alpha running TRU64. See the Changelog for further details.

 The Hypermail Development Team would like to greatly thank Thomas Biege <thomas_at_suse.de> for assisting us with this review.

Peter McCluskey          | 
http://www.rahul.net/pcm | 
Received on Thu 27 Feb 2003 10:17:20 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT