[Secure-testing-team] Re: Bug#332259: spampd fails with 'Error in process_request': Modification of read-only variable in Syslog.pm

[Sven Mueller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Fri, October 7, 2005 6:17, Martin Schulze said:
> Sven Mueller wrote:
>> I created a fixed package (actually two: one for sid/etch and one for
>> sarge), available at https://mail.incase.de/spampd/sarge-security/
>> respectively at https://mail.incase.de/spampd/sid/ (until my sponsor
>> finds the time to upload the latter to sid). Personally, I'm indifferent
>> wether this fix should be uploaded to the testing-security archive,
>> since the fixed version should propagate quickly from sid.
>>
>> Security-Team: What else do I need to do to get the fixed version into
>> sarge/security?
>
> How does this represent a security bug?
>
> It's not a denial of service unless spampd crashes and is unavailable
> after misprocessing this mail.  According to the bug report, the daemon
> is reporting an error but continuing to work.
>
> Hence, it's rather "one mail falls through" or something.  Doesn't sound
> security-relevant to me.

Well, it's more of an indirect DoS. The mails are rejected with an SMTP
temporary failure code according to my quick test. This means that those
mails fill up the sending SMTP daemons queue (which is usually the same
host or a closely related host to the host spampd runs on).

In my opinion, this is a possible DoS attack. And since the fix (one might
call it workaround) is really minimal, I would really recommend updating
it in sarge.

Apart from that, this is bug is at least a serious problem, since it might
deny perfectly legal mails from reaching the envelope recipient.

Regarding the comment from Florian Weimer, wether this is really a spampd
bug or more a Net::Server bug, I must say that I didn't (and don't) have
time to analyze it. But I think it would be more a Sys::Syslog bug.
However, I don't know wether using a "%s" as first argument would work as
expected (I would have to test it more intensively, and it certainly isn't
the minimal fix for the problem, just the right one in the long run).
However, even if it would be a Sys:Syslog or Net::Server bug, I would
still think it is right for spampd to work aroung that bug now (since the
Sys::Syslog/Net::Server fix would be more complex).

regards,
Sven

PS: It is really unlikely for me to be online much this week, so please
don't expect timely answers before Tuesday 18th.

- --
Still in NM process

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSVNvg3izVowCbSERAvrDAKD9FY3nSs31e5HQE/VLXJhELjg9AgCfeSd1
mctgw1PqDHJXi/Q0zpRyf/Y=
=a9ZH
-----END PGP SIGNATURE-----