{"id": "OPENVAS:1361412562310704692", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian: Security Advisory for netqmail (DSA-4692-1)", "description": "The remote host is missing an update for the ", "published": "2020-05-25T00:00:00", "modified": "2020-05-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704692", "reporter": "Copyright (C) 2020 Greenbone Networks GmbH", "references": ["https://security-tracker.debian.org/tracker/DSA-4692-1", "https://www.debian.org/security/2020/dsa-4692.html"], "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "lastseen": "2020-05-27T17:51:21", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4692-1:CFC43", "DEBIAN:DLA-2234-1:7C781"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2234.NASL", "GENTOO_GLSA-202007-01.NASL", "UBUNTU_USN-4621-1.NASL", "DEBIAN_DSA-4692.NASL", "UBUNTU_USN-4556-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-4621-1", "USN-4556-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892234"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157805"]}, {"type": "cve", "idList": ["CVE-2005-1514", "CVE-2005-1513", "CVE-2020-3812", "CVE-2020-3811", "CVE-2005-1515"]}, {"type": "gentoo", "idList": ["GLSA-202007-01"]}, {"type": "freebsd", "idList": ["8DB2F8B2-9E12-11EA-9E83-0CC47AC16C9D", "B495AF21-9E10-11EA-9E83-0CC47AC16C9D", "D6540411-9E10-11EA-9E83-0CC47AC16C9D"]}, {"type": "osvdb", "idList": ["OSVDB:16343", "OSVDB:16345", "OSVDB:16344"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:937C75F71B7A9D96B94AA82B974CD3B7"]}], "modified": "2020-05-27T17:51:21", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-05-27T17:51:21", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310704692", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704692\");\n script_version(\"2020-05-25T03:00:17+0000\");\n script_cve_id(\"CVE-2005-1513\", \"CVE-2005-1514\", \"CVE-2005-1515\", \"CVE-2020-3811\", \"CVE-2020-3812\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-25 03:00:17 +0000 (Mon, 25 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-25 03:00:17 +0000 (Mon, 25 May 2020)\");\n script_name(\"Debian: Security Advisory for netqmail (DSA-4692-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4692.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4692-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'netqmail'\n package(s) announced via the DSA-4692-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Georgi Guninski and the Qualys Research Labs discovered multiple\nvulnerabilities in qmail (shipped in Debian as netqmail with additional\npatches) which could result in the execution of arbitrary code, bypass\nof mail address verification and a local information leak whether a file\nexists or not.\");\n\n script_tag(name:\"affected\", value:\"'netqmail' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 1.06-6.2~deb9u1.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 1.06-6.2~deb10u1.\n\nWe recommend that you upgrade your netqmail packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"qmail\", ver:\"1.06-6.2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qmail-uids-gids\", ver:\"1.06-6.2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qmail\", ver:\"1.06-6.2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qmail-uids-gids\", ver:\"1.06-6.2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "naslFamily": "Debian Local Security Checks"}

{"nessus": [{"lastseen": "2021-01-12T09:42:38", "description": "There were several CVE bugs reported against src:netqmail.\n\nCVE-2005-1513\n\nInteger overflow in the stralloc_readyplus function in qmail, when\nrunning on 64 bit platforms with a large amount of virtual memory,\nallows remote attackers to cause a denial of service and possibly\nexecute arbitrary code via a large SMTP request.\n\nCVE-2005-1514\n\ncommands.c in qmail, when running on 64 bit platforms with a large\namount of virtual memory, allows remote attackers to cause a denial of\nservice and possibly execute arbitrary code via a long SMTP command\nwithout a space character, which causes an array to be referenced with\na negative index.\n\nCVE-2005-1515\n\nInteger signedness error in the qmail_put and substdio_put functions\nin qmail, when running on 64 bit platforms with a large amount of\nvirtual memory, allows remote attackers to cause a denial of service\nand possibly execute arbitrary code via a large number of SMTP RCPT TO\ncommands.\n\nCVE-2020-3811\n\nqmail-verify as used in netqmail 1.06 is prone to a mail-address\nverification bypass vulnerability.\n\nCVE-2020-3812\n\nqmail-verify as used in netqmail 1.06 is prone to an information\ndisclosure vulnerability. A local attacker can test for the existence\nof files and directories anywhere in the filesystem because\nqmail-verify runs as root and tests for the existence of files in the\nattacker's home directory, without dropping its privileges first.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.06-6.2~deb8u1.\n\nWe recommend that you upgrade your netqmail packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 6, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-06-05T00:00:00", "title": "Debian DLA-2234-1 : netqmail security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "modified": "2020-06-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qmail-uids-gids", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:qmail"], "id": "DEBIAN_DLA-2234.NASL", "href": "https://www.tenable.com/plugins/nessus/137154", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2234-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137154);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2005-1513\", \"CVE-2005-1514\", \"CVE-2005-1515\", \"CVE-2020-3811\", \"CVE-2020-3812\");\n\n script_name(english:\"Debian DLA-2234-1 : netqmail security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"There were several CVE bugs reported against src:netqmail.\n\nCVE-2005-1513\n\nInteger overflow in the stralloc_readyplus function in qmail, when\nrunning on 64 bit platforms with a large amount of virtual memory,\nallows remote attackers to cause a denial of service and possibly\nexecute arbitrary code via a large SMTP request.\n\nCVE-2005-1514\n\ncommands.c in qmail, when running on 64 bit platforms with a large\namount of virtual memory, allows remote attackers to cause a denial of\nservice and possibly execute arbitrary code via a long SMTP command\nwithout a space character, which causes an array to be referenced with\na negative index.\n\nCVE-2005-1515\n\nInteger signedness error in the qmail_put and substdio_put functions\nin qmail, when running on 64 bit platforms with a large amount of\nvirtual memory, allows remote attackers to cause a denial of service\nand possibly execute arbitrary code via a large number of SMTP RCPT TO\ncommands.\n\nCVE-2020-3811\n\nqmail-verify as used in netqmail 1.06 is prone to a mail-address\nverification bypass vulnerability.\n\nCVE-2020-3812\n\nqmail-verify as used in netqmail 1.06 is prone to an information\ndisclosure vulnerability. A local attacker can test for the existence\nof files and directories anywhere in the filesystem because\nqmail-verify runs as root and tests for the existence of files in the\nattacker's home directory, without dropping its privileges first.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.06-6.2~deb8u1.\n\nWe recommend that you upgrade your netqmail packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/netqmail\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected qmail, and qmail-uids-gids packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3811\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qmail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qmail-uids-gids\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"qmail\", reference:\"1.06-6.2~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"qmail-uids-gids\", reference:\"1.06-6.2~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-25T15:14:40", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4621-1 advisory.\n\n - Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute\n arbitrary code via a large SMTP request. (CVE-2005-1513)\n\n - commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote\n attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without\n a space character, which causes an array to be referenced with a negative index. (CVE-2005-1514)\n\n - Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit\n platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and\n possibly execute arbitrary code via a large number of SMTP RCPT TO commands. (CVE-2005-1515)\n\n - qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.\n (CVE-2020-3811)\n\n - qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local\n attacker can test for the existence of files and directories anywhere in the filesystem because qmail-\n verify runs as root and tests for the existence of files in the attacker's home directory, without\n dropping its privileges first. (CVE-2020-3812)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-11-06T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS : netqmail vulnerabilities (USN-4621-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "modified": "2020-11-06T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:qmail-uids-gids", "p-cpe:/a:canonical:ubuntu_linux:qmail"], "id": "UBUNTU_USN-4621-1.NASL", "href": "https://www.tenable.com/plugins/nessus/142500", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4621-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142500);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\n \"CVE-2005-1513\",\n \"CVE-2005-1514\",\n \"CVE-2005-1515\",\n \"CVE-2020-3811\",\n \"CVE-2020-3812\"\n );\n script_bugtraq_id(89980, 89993, 90000);\n script_xref(name:\"USN\", value:\"4621-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : netqmail vulnerabilities (USN-4621-1)\");\n script_summary(english:\"Checks the dpkg output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4621-1 advisory.\n\n - Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute\n arbitrary code via a large SMTP request. (CVE-2005-1513)\n\n - commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote\n attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without\n a space character, which causes an array to be referenced with a negative index. (CVE-2005-1514)\n\n - Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit\n platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and\n possibly execute arbitrary code via a large number of SMTP RCPT TO commands. (CVE-2005-1515)\n\n - qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.\n (CVE-2020-3811)\n\n - qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local\n attacker can test for the existence of files and directories anywhere in the filesystem because qmail-\n verify runs as root and tests for the existence of files in the attacker's home directory, without\n dropping its privileges first. (CVE-2020-3812)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4621-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qmail and / or qmail-uids-gids packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3811\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qmail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qmail-uids-gids\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'qmail', 'pkgver': '1.06-6.2~deb10u1build0.16.04.1'},\n {'osver': '16.04', 'pkgname': 'qmail-uids-gids', 'pkgver': '1.06-6.2~deb10u1build0.16.04.1'},\n {'osver': '18.04', 'pkgname': 'qmail', 'pkgver': '1.06-6.2~deb10u1build0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'qmail-uids-gids', 'pkgver': '1.06-6.2~deb10u1build0.18.04.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qmail / qmail-uids-gids');\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-06T09:24:59", "description": "Georgi Guninski and the Qualys Research Labs discovered multiple\nvulnerabilities in qmail (shipped in Debian as netqmail with\nadditional patches) which could result in the execution of arbitrary\ncode, bypass of mail address verification and a local information leak\nwhether a file exists or not.", "edition": 3, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-05-26T00:00:00", "title": "Debian DSA-4692-1 : netqmail - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "modified": "2020-05-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:netqmail", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4692.NASL", "href": "https://www.tenable.com/plugins/nessus/136837", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4692. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136837);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/05\");\n\n script_cve_id(\"CVE-2005-1513\", \"CVE-2005-1514\", \"CVE-2005-1515\", \"CVE-2020-3811\", \"CVE-2020-3812\");\n script_xref(name:\"DSA\", value:\"4692\");\n\n script_name(english:\"Debian DSA-4692-1 : netqmail - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Georgi Guninski and the Qualys Research Labs discovered multiple\nvulnerabilities in qmail (shipped in Debian as netqmail with\nadditional patches) which could result in the execution of arbitrary\ncode, bypass of mail address verification and a local information leak\nwhether a file exists or not.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/netqmail\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/netqmail\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/netqmail\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4692\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the netqmail packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 1.06-6.2~deb9u1.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 1.06-6.2~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3811\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:netqmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"qmail\", reference:\"1.06-6.2~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"qmail-uids-gids\", reference:\"1.06-6.2~deb10u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qmail\", reference:\"1.06-6.2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qmail-uids-gids\", reference:\"1.06-6.2~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-25T15:14:34", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4556-1 advisory.\n\n - Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute\n arbitrary code via a large SMTP request. (CVE-2005-1513)\n\n - commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote\n attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without\n a space character, which causes an array to be referenced with a negative index. (CVE-2005-1514)\n\n - Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit\n platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and\n possibly execute arbitrary code via a large number of SMTP RCPT TO commands. (CVE-2005-1515)\n\n - qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.\n (CVE-2020-3811)\n\n - qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local\n attacker can test for the existence of files and directories anywhere in the filesystem because qmail-\n verify runs as root and tests for the existence of files in the attacker's home directory, without\n dropping its privileges first. (CVE-2020-3812)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-09-30T00:00:00", "title": "Ubuntu 20.04 LTS : netqmail vulnerabilities (USN-4556-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "modified": "2020-09-30T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:qmail-uids-gids", "p-cpe:/a:canonical:ubuntu_linux:qmail"], "id": "UBUNTU_USN-4556-1.NASL", "href": "https://www.tenable.com/plugins/nessus/141054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4556-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141054);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\n \"CVE-2005-1513\",\n \"CVE-2005-1514\",\n \"CVE-2005-1515\",\n \"CVE-2020-3811\",\n \"CVE-2020-3812\"\n );\n script_bugtraq_id(89980, 89993, 90000);\n script_xref(name:\"USN\", value:\"4556-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : netqmail vulnerabilities (USN-4556-1)\");\n script_summary(english:\"Checks the dpkg output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4556-1 advisory.\n\n - Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute\n arbitrary code via a large SMTP request. (CVE-2005-1513)\n\n - commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote\n attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without\n a space character, which causes an array to be referenced with a negative index. (CVE-2005-1514)\n\n - Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit\n platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and\n possibly execute arbitrary code via a large number of SMTP RCPT TO commands. (CVE-2005-1515)\n\n - qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.\n (CVE-2020-3811)\n\n - qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local\n attacker can test for the existence of files and directories anywhere in the filesystem because qmail-\n verify runs as root and tests for the existence of files in the attacker's home directory, without\n dropping its privileges first. (CVE-2020-3812)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4556-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qmail and / or qmail-uids-gids packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3811\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qmail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qmail-uids-gids\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'qmail', 'pkgver': '1.06-6.2~deb10u1build0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'qmail-uids-gids', 'pkgver': '1.06-6.2~deb10u1build0.20.04.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qmail / qmail-uids-gids');\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-09-25T07:03:06", "description": "The remote host is affected by the vulnerability described in GLSA-202007-01\n(netqmail: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in netqmail. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n In the default configuration, these vulnerabilities are only local.\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 4, "cvss3": {}, "published": "2020-07-27T00:00:00", "title": "GLSA-202007-01 : netqmail: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515"], "modified": "2020-07-27T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:netqmail"], "id": "GENTOO_GLSA-202007-01.NASL", "href": "https://www.tenable.com/plugins/nessus/138924", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202007-01.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138924);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2005-1513\", \"CVE-2005-1514\", \"CVE-2005-1515\");\n script_xref(name:\"GLSA\", value:\"202007-01\");\n\n script_name(english:\"GLSA-202007-01 : netqmail: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202007-01\n(netqmail: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in netqmail. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n In the default configuration, these vulnerabilities are only local.\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202007-01\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All netqmail users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/netqmail-1.06-r13'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2005-1515\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:netqmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/netqmail\", unaffected:make_list(\"ge 1.06-r13\"), vulnerable:make_list(\"lt 1.06-r13\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"netqmail\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-11-06T05:33:44", "bulletinFamily": "unix", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "description": "It was discovered that netqmail did not properly handle certain input. Both \nremote and local attackers could use this vulnerability to cause netqmail \nto crash or execute arbitrary code. (CVE-2005-1513, CVE-2005-1514, \nCVE-2005-1515)\n\nIt was discovered that netqmail did not properly handle certain input when \nvalidating email addresses. An attacker could use this to bypass email \naddress validation. (CVE-2020-3811)\n\nIt was discovered that netqmail did not properly handle certain input when \nvalidating email addresses. An attacker could use this vulnerability to \ncause netqmail to disclose sensitive information. (CVE-2020-3812)", "edition": 1, "modified": "2020-11-05T00:00:00", "published": "2020-11-05T00:00:00", "id": "USN-4621-1", "href": "https://ubuntu.com/security/notices/USN-4621-1", "title": "netqmail vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-29T18:59:41", "bulletinFamily": "unix", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "description": "It was discovered that netqmail did not properly handle certain input. Both \nremote and local attackers could use this vulnerability to cause netqmail \nto crash or execute arbitrary code. (CVE-2005-1513, CVE-2005-1514, \nCVE-2005-1515)\n\nIt was discovered that netqmail did not properly handle certain input when \nvalidating email addresses. An attacker could use this to bypass email \naddress validation. (CVE-2020-3811)\n\nIt was discovered that netqmail did not properly handle certain input when \nvalidating email addresses. An attacker could use this vulnerability to \ncause netqmail to disclose sensitive information. (CVE-2020-3812)", "edition": 1, "modified": "2020-09-29T00:00:00", "published": "2020-09-29T00:00:00", "id": "USN-4556-1", "href": "https://ubuntu.com/security/notices/USN-4556-1", "title": "netqmail vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2020-12-04T01:26:18", "bulletinFamily": "unix", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "description": "Package : netqmail\nVersion : 1.06-6.2~deb8u1\nCVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811\n CVE-2020-3812\nDebian Bug : 961060\n\n\nThere were several CVE bugs reported against src:netqmail.\n\nCVE-2005-1513\n\n Integer overflow in the stralloc_readyplus function in qmail,\n when running on 64 bit platforms with a large amount of virtual\n memory, allows remote attackers to cause a denial of service\n and possibly execute arbitrary code via a large SMTP request.\n\nCVE-2005-1514\n\n commands.c in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to\n cause a denial of service and possibly execute arbitrary code\n via a long SMTP command without a space character, which causes\n an array to be referenced with a negative index.\n\nCVE-2005-1515\n\n Integer signedness error in the qmail_put and substdio_put\n functions in qmail, when running on 64 bit platforms with a\n large amount of virtual memory, allows remote attackers to\n cause a denial of service and possibly execute arbitrary code\n via a large number of SMTP RCPT TO commands.\n\nCVE-2020-3811\n\n qmail-verify as used in netqmail 1.06 is prone to a\n mail-address verification bypass vulnerability.\n\nCVE-2020-3812\n\n qmail-verify as used in netqmail 1.06 is prone to an\n information disclosure vulnerability. A local attacker can\n test for the existence of files and directories anywhere in\n the filesystem because qmail-verify runs as root and tests\n for the existence of files in the attacker&#x27;s home directory,\n without dropping its privileges first.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n1.06-6.2~deb8u1.\n\nWe recommend that you upgrade your netqmail packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n\nBest,\nUtkarsh\n", "edition": 7, "modified": "2020-06-04T16:24:35", "published": "2020-06-04T16:24:35", "id": "DEBIAN:DLA-2234-1:7C781", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202006/msg00002.html", "title": "[SECURITY] [DLA 2234-1] netqmail security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T13:18:26", "bulletinFamily": "unix", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4692-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 24, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : netqmail\nCVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811\n CVE-2020-3812\nDebian Bug : 961060\n\nGeorgi Guninski and the Qualys Research Labs discovered multiple\nvulnerabilities in qmail (shipped in Debian as netqmail with additional\npatches) which could result in the execution of arbitrary code, bypass\nof mail address verification and a local information leak whether a file\nexists or not.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 1.06-6.2~deb9u1.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 1.06-6.2~deb10u1.\n\nWe recommend that you upgrade your netqmail packages.\n\nFor the detailed security status of netqmail please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/netqmail\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 13, "modified": "2020-05-24T07:05:11", "published": "2020-05-24T07:05:11", "id": "DEBIAN:DSA-4692-1:CFC43", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00096.html", "title": "[SECURITY] [DSA 4692-1] netqmail security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2020-05-26T01:49:32", "description": "", "published": "2020-05-21T00:00:00", "type": "packetstorm", "title": "Qualys Security Advisory - Qmail Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "modified": "2020-05-21T00:00:00", "id": "PACKETSTORM:157805", "href": "https://packetstormsecurity.com/files/157805/Qualys-Security-Advisory-Qmail-Remote-Code-Execution.html", "sourceData": "` \nQualys Security Advisory \n \n15 years later: Remote Code Execution in qmail (CVE-2005-1513) \n \n \n======================================================================== \nContents \n======================================================================== \n \nSummary \nAnalysis \nExploitation \nqmail-verify \n- CVE-2020-3811 \n- CVE-2020-3812 \nMitigations \nAcknowledgments \nPatches \n \n \n======================================================================== \nSummary \n======================================================================== \n \nTLDR: In 2005, three vulnerabilities were discovered in qmail but were \nnever fixed because they were believed to be unexploitable in a default \ninstallation. We recently re-discovered these vulnerabilities and were \nable to exploit one of them remotely in a default installation. \n \n------------------------------------------------------------------------ \n \nIn May 2005, Georgi Guninski published \"64 bit qmail fun\", three \nvulnerabilities in qmail (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515): \n \nhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html \n \nSurprisingly, we re-discovered these vulnerabilities during a recent \nqmail audit; they have never been fixed because, as stated by qmail's \nauthor Daniel J. Bernstein (in https://cr.yp.to/qmail/guarantee.html): \n \n\"This claim is denied. Nobody gives gigabytes of memory to each \nqmail-smtpd process, so there is no problem with qmail's assumption \nthat allocated array lengths fit comfortably into 32 bits.\" \n \nIndeed, the memory consumption of each qmail-smtpd process is severely \nlimited by default (by qmail-smtpd's startup script); for example, on \nDebian 10 (the latest stable release), it is limited to roughly 7MB. \n \nUnfortunately, we discovered that these vulnerabilities also affect \nqmail-local, which is reachable remotely and is not memory-limited by \ndefault (we investigated many qmail packages, and *all* of them limit \nqmail-smtpd's memory, but *none* of them limits qmail-local's memory). \n \nAs a proof of concept, we developed a reliable, local and remote exploit \nagainst Debian's qmail package in its default configuration. This proof \nof concept requires 4GB of disk space and 8GB of memory, and allows an \nattacker to execute arbitrary shell commands as any user, except root \n(and a few system users who do not own their home directory). We will \npublish our proof-of-concept exploit in the near future. \n \nAbout our new discovery, Daniel J. Bernstein issues the following \nstatement: \n \n\"https://cr.yp.to/qmail/guarantee.html has for many years mentioned \nqmail's assumption that allocated array lengths fit comfortably into \n32 bits. I run each qmail service under softlimit -m12345678, and I \nrecommend the same for other installations.\" \n \nFinally, we also discovered two minor vulnerabilities in qmail-verify (a \nthird-party qmail patch that is included in, for example, Debian's qmail \npackage): CVE-2020-3811 (a mail-address verification bypass), and \nCVE-2020-3812 (a local information disclosure). \n \n \n======================================================================== \nAnalysis \n======================================================================== \n \nWe decided to exploit Georgi Guninski's vulnerability \"1. integer \noverflow in stralloc_readyplus\" (CVE-2005-1513). There are, in fact, \nfour potential integer overflows in stralloc_readyplus; three in the \nGEN_ALLOC_readyplus() macro (which generates the stralloc_readyplus() \nfunction), at line 21 (n += x->len), line 23 (x->a = base + n + ...), \nand line 24 (x->a * sizeof(type)): \n \n------------------------------------------------------------------------ \n17 #define GEN_ALLOC_readyplus(ta,type,field,len,a,i,n,x,base,ta_rplus) \\ \n18 int ta_rplus(x,n) register ta *x; register unsigned int n; \\ \n19 { register unsigned int i; \\ \n20 if (x->field) { \\ \n21 i = x->a; n += x->len; \\ \n22 if (n > i) { \\ \n23 x->a = base + n + (n >> 3); \\ \n24 if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \\ \n25 x->a = i; return 0; } \\ \n26 return 1; } \\ \n27 x->len = 0; \\ \n28 return !!(x->field = (type *) alloc((x->a = n) * sizeof(type))); } \n------------------------------------------------------------------------ \n \nand, in theory, one integer overflow in the alloc() function itself \n(which is called by the alloc_re() function), at line 18: \n \n------------------------------------------------------------------------ \n14 /*@null@*//*@out@*/char *alloc(n) \n15 unsigned int n; \n16 { \n17 char *x; \n18 n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */ \n.. \n20 x = malloc(n); \n.. \n22 return x; \n23 } \n------------------------------------------------------------------------ \n \nIn practice, the integer overflows at line 21 (in GEN_ALLOC_readyplus()) \nand line 18 (in alloc()) are very hard to trigger; and the one at line \n24 (in GEN_ALLOC_readyplus()) is irrelevant to stralloc_readyplus's case \n(because type is char and sizeof(type) is therefore 1). \n \nOn the other hand, the integer overflow at line 23 (in \nGEN_ALLOC_readyplus()) is easy to trigger, because the size x->a of the \nbuffer is increased by one eighth every time it is re-allocated: we send \na very large mail message that contains a very long header line (nearly \n4GB), and this line triggers stralloc_readyplus's integer overflow while \nin the getln() function, which is called by the bouncexf() function, at \nthe beginning of the qmail-local program. qmail-local is responsible for \nthe local delivery of mail messages, and runs with the privileges of the \nlocal recipient (or qmail's \"alias\" user, if the local recipient is \n\"root\", for example). \n \nAfter the size of the buffer is overflowed (at line 23), the alloc_re() \nfunction is called (at line 24), but with n < m, where n is the size of \nthe new buffer y, and m is the size of the old buffer x: \n \n------------------------------------------------------------------------ \n4 int alloc_re(x,m,n) \n5 char **x; \n6 unsigned int m; \n7 unsigned int n; \n8 { \n9 char *y; \n10 \n11 y = alloc(n); \n12 if (!y) return 0; \n13 byte_copy(y,m,*x); \n14 alloc_free(*x); \n15 *x = y; \n16 return 1; \n17 } \n------------------------------------------------------------------------ \n \nIn other words, we transformed stralloc_readyplus's integer overflow \ninto an mmap-based buffer overflow at line 13 (byte_copy() is qmail's \nversion of memcpy()): m is nearly 4GB (the length of our very long \nheader line), but n is roughly 512MB (one eighth of m). \n \n \n======================================================================== \nExploitation \n======================================================================== \n \nTo survive this large buffer overflow, we carefully choose the number \nand lengths of the very first lines in our mail message (they crucially \ninfluence the sequence of buffer re-allocations that eventually lead to \nthe integer and buffer overflows), and obtain the following mmap layout: \n \n-------|-------|-------------------------------------------------|------ \nXXXXXXX| y | x | libc \n-------|-------|-------------------------------------------------|------ \n| 512MB | 4GB | \n \nConsequently, we safely overflow the new buffer y, and overwrite the \nmalloc header of the old buffer x, with the contents of our very long \nheader line. To exploit this malloc-header corruption when free(x) is \ncalled (at line 14), we devised an unusual method that bypasses NX and \nASLR, but does not work against a full-RELRO binary (but the qmail-local \nbinary on Debian 10 is partial-RELRO only). This does not mean, however, \nthat a full-RELRO binary is not exploitable: other methods may exist, \nthe only limit to malloc exploitation is the imagination. \n \nFirst, we overwrite the prev_size and size fields of x's malloc header, \nwe set its IS_MMAPPED bit to 1, and therefore enter the munmap_chunk() \nfunction in __libc_free() (where p is a pointer to x's malloc header): \n \n------------------------------------------------------------------------ \n2810 static void \n2811 munmap_chunk (mchunkptr p) \n2812 { \n2813 INTERNAL_SIZE_T size = chunksize (p); \n.... \n2822 uintptr_t block = (uintptr_t) p - prev_size (p); \n2823 size_t total_size = prev_size (p) + size; \n.... \n2838 __munmap ((char *) block, total_size); \n2839 } \n------------------------------------------------------------------------ \n \nBecause we completely control the size field (at line 2813) and the \nprev_size field (at lines 2822 and 2823), we completely control the \nblock address (relative to p, and hence x) and the total_size of the \n__munmap() call (at line 2838). In other words, we can munmap() an \narbitrary mmap region, without knowing the ASLR; we munmap() roughly \n576MB at the end of x, including the first few pages of the libc: \n \n-------|-------|-----------------------------------------|-------+-|---- \nXXXXXXX| y | x |XXXXXXXXX|ibc \n-------|-------|-----------------------------------------|-------+-|---- \n \nThe first pages of the libc do not actually contain executable code: \nthey contain the ELF .dynsym section, which associates a symbol (for \nexample, the \"open\" function) with the address of this symbol (relative \nto the start of the libc). \n \nNext, we end our very long header line (with a '\\n' character), and \nstart a new header line of nearly 576MB. This new header line is first \nwritten to the buffer y, but when y is full, stralloc_readyplus() \nallocates a new buffer t of roughly 576MB (the size of y plus one \neighth), the exact size of the mmap region that we previously \nmunmap()ed: \n \n-------|-------|-----------------------------------------|-------+-|---- \nXXXXXXX| y | x | t |ibc \n-------|-------|-----------------------------------------|-------+-|---- \n \nConsequently, we completely control the first pages of the libc (they \ncontain the end of our new header line): we control the .dynsym section, \nand we replace the address of the \"open\" function with the address of \nthe \"system\" function. This method works because Debian's qmail-local \nbinary is partial-RELRO only, and because the open() function has not \nbeen called yet, and has therefore not been resolved yet. \n \nLast, we end our new header line, and when qmail-local returns from \nbouncexf() and calls qmesearch() to open() the \".qmail-extension\" file, \nsystem(\".qmail-extension\") is called instead. Because we control this \n\"extension\" (it is an extension of the local recipient's mail address, \nfor example localuser-extension@localdomain), we can execute arbitrary \nshell commands as any user (except root, and a few system users who do \nnot own their home directory), by sending our large mail message to \n\"localuser-;command;@localdomain\". \n \nLast-minute note: the exploitation of glibc's free() to munmap() \narbitrary memory regions has been discussed before, in \nhttp://tukan.farm/2016/07/27/munmap-madness/. \n \n \n======================================================================== \nqmail-verify \n======================================================================== \n \n------------------------------------------------------------------------ \nCVE-2020-3811 \n------------------------------------------------------------------------ \n \nAlthough the original qmail-smtpd does accept our recipient address \n\"localuser-;command;@localdomain\", Debian's qmail-smtpd should not, \nbecause it validates the recipient address with an external program \nqmail-verify (which should reject our recipient address, because the \nfile \"~localuser/.qmail-;command;\" does not exist). Unfortunately, \nqmail-verify does reject \"localuser-;command;@localdomain\", but it \naccepts the unqualified \"localuser-;command;\" (without the \n@localdomain), because: \n \n- it never calls the control_init() function; \n \n- it therefore initializes its default domain to the hard-coded string \n\"envnoathost\"; \n \n- and accepts any unqualified mail address as valid by default (because \nits default domain \"envnoathost\" is not one of qmail's local domains, \nand is therefore unverifiable). \n \n------------------------------------------------------------------------ \nCVE-2020-3812 \n------------------------------------------------------------------------ \n \nWe also discovered a minor information disclosure in qmail-verify: \na local attacker can test for the existence of files and directories \nanywhere in the filesystem (even in inaccessible directories), because \nqmail-verify runs as root and tests for the existence of files in the \nattacker's home directory, without dropping its privileges first. For \nexample (qmail-verify listens on 127.0.0.1:11113 by default): \n \n------------------------------------------------------------------------ \n$ ls -l /root/.bashrc \nls: cannot access '/root/.bashrc': Permission denied \n \n$ rm -f ~john/.qmail-test \n$ ln -s /root/.bashrc ~john/.qmail-test \n \n$ echo -n 'john-test@localdomain' | nc -w 2 -u 127.0.0.1 11113 | hexdump -C \n00000000 a0 6a 6f 68 6e 2d 74 65 73 74 |.john-test| \n------------------------------------------------------------------------ \n \nThe least significant bit of this response's first byte (a0) is 0: the \nfile \"/root/.bashrc\" exists. \n \n------------------------------------------------------------------------ \n$ ls -l /root/.abcdef \nls: cannot access '/root/.abcdef': Permission denied \n \n$ rm -f ~john/.qmail-test \n$ ln -s /root/.abcdef ~john/.qmail-test \n \n$ echo -n 'john-test@localdomain' | nc -w 2 -u 127.0.0.1 11113 | hexdump -C \n00000000 e1 6a 6f 68 6e 2d 74 65 73 74 |.john-test| \n------------------------------------------------------------------------ \n \nThe least significant bit of this response's first byte (e1) is 1: the \nfile \"/root/.abcdef\" does not exist. \n \n \n======================================================================== \nMitigations \n======================================================================== \n \nAs recommended by Daniel J. Bernstein, qmail can be protected against \nall three 2005 CVEs by placing a low, configurable memory limit (a \n\"softlimit\") in the startup scripts of all qmail services. \n \nAlternatively: \n \nqmail can be protected against the RCE (Remote Code Execution) by \nconfiguring the file \"control/databytes\", which contains the maximum \nsize of a mail message (this file does not exist by default, and qmail \nis therefore remotely exploitable in its default configuration). \n \nUnfortunately, this does not protect qmail against the LPE (Local \nPrivilege Escalation), because the file \"control/databytes\" is used \nexclusively by qmail-smtpd. \n \n \n======================================================================== \nAcknowledgments \n======================================================================== \n \nWe thank Andrew Richards, Alexander Peslyak, the members of \ndistros@openwall, and the developers of notqmail for their hard work on \nthis coordinated release. We also thank Daniel J. Bernstein, and Georgi \nGuninski. Finally, we thank Julien Barthelemy, Stephane Bellenger, and \nJean-Paul Michel for their inspiring work. \n \n \n======================================================================== \nPatches \n======================================================================== \n \nWe wrote a simple patch for Debian's qmail package (below) that fixes \nCVE-2020-3811 and CVE-2020-3812 in qmail-verify, and fixes all three \n2005 CVEs in qmail (by hard-coding a safe, upper memory limit in the \nalloc() function). \n \nAlternatively: \n \n- an updated version of qmail-verify will be available at \nhttps://free.acrconsulting.co.uk/email/qmail-verify.html after the \nCoordinated Release Date; \n \n- the developers of notqmail (https://notqmail.org/) have written their \nown patches for the three 2005 CVEs and have started to systematically \nfix all integer overflows and signedness errors in qmail. \n \n------------------------------------------------------------------------ \n \ndiff -r -u netqmail_1.06-6/alloc.c netqmail_1.06-6+patches/alloc.c \n--- netqmail_1.06-6/alloc.c 1998-06-15 03:53:16.000000000 -0700 \n+++ netqmail_1.06-6+patches/alloc.c 2020-05-04 16:43:32.923310325 -0700 \n@@ -1,3 +1,4 @@ \n+#include <limits.h> \n#include \"alloc.h\" \n#include \"error.h\" \nextern char *malloc(); \n@@ -15,6 +16,10 @@ \nunsigned int n; \n{ \nchar *x; \n+ if (n >= (INT_MAX >> 3)) { \n+ errno = error_nomem; \n+ return 0; \n+ } \nn = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */ \nif (n <= avail) { avail -= n; return space + avail; } \nx = malloc(n); \ndiff -r -u netqmail_1.06-6/qmail-verify.c netqmail_1.06-6+patches/qmail-verify.c \n--- netqmail_1.06-6/qmail-verify.c 2020-05-02 09:02:51.954415101 -0700 \n+++ netqmail_1.06-6+patches/qmail-verify.c 2020-05-08 04:47:27.555539058 -0700 \n@@ -16,6 +16,8 @@ \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <unistd.h> \n+#include <limits.h> \n+#include <grp.h> \n#include <pwd.h> \n#include <sys/socket.h> \n#include <netinet/in.h> \n@@ -38,6 +40,7 @@ \n#include \"ip.h\" \n#include \"qmail-verify.h\" \n#include \"errbits.h\" \n+#include \"scan.h\" \n \n#define enew() { eout(\"qmail-verify: \"); } \n#define GETPW_USERLEN 32 \n@@ -71,6 +74,7 @@ \nvoid die_comms() { enew(); eout(\"Misc. comms problem: exiting.\\n\"); eflush(); _exit(1); } \nvoid die_inuse() { enew(); eout(\"Port already in use: exiting.\\n\"); eflush(); _exit(1); } \nvoid die_socket() { enew(); eout(\"Error setting up socket: exiting.\\n\"); eflush(); _exit(1); } \n+void die_privs() { enew(); eout(\"Unable to drop/restore privileges: exiting.\\n\"); eflush(); _exit(1); } \n \nchar *posstr(buf,status) \nchar *buf; int status; \n@@ -207,10 +211,47 @@ \nreturn 0; \n} \n \n+static int stat_as(uid, gid, path, sbuf) \n+const uid_t uid; \n+const gid_t gid; \n+const char * const path; \n+struct stat * const sbuf; \n+{ \n+ static gid_t groups[NGROUPS_MAX + 1]; \n+ int ngroups = 0; \n+ const gid_t saved_egid = getegid(); \n+ const uid_t saved_euid = geteuid(); \n+ int ret = -1; \n+ \n+ if (saved_euid == 0) { \n+ ngroups = getgroups(sizeof(groups) / sizeof(groups[0]), groups); \n+ if (ngroups < 0 || \n+ setgroups(1, &gid) != 0 || \n+ setegid(gid) != 0 || \n+ seteuid(uid) != 0) { \n+ die_privs(); \n+ } \n+ } \n+ \n+ ret = stat(path, sbuf); \n+ \n+ if (saved_euid == 0) { \n+ if (seteuid(saved_euid) != 0 || \n+ setegid(saved_egid) != 0 || \n+ setgroups(ngroups, groups) != 0) { \n+ die_privs(); \n+ } \n+ } \n+ \n+ return ret; \n+} \n+ \nint verifyaddr(addr) \nchar *addr; \n{ \nchar *homedir; \n+ uid_t uid = -1; \n+ gid_t gid = -1; \n/* static since they get re-used on each call to verifyaddr(). Note \nthat they don't need resetting since initial use is always with \nstralloc_copys() except wildchars (reset with ...len=0 below). */ \n@@ -303,6 +344,7 @@ \nif (r == 1) \n{ \nchar *x; \n+ unsigned long u; \nif (!stralloc_ready(&nughde,(unsigned int) dlen)) die_nomem(); \nnughde.len = dlen; \nif (cdb_bread(fd,nughde.s,nughde.len) == -1) die_cdb(); \n@@ -318,10 +360,14 @@ \nif (x == nughde.s + nughde.len) return allowaddr(addr,ADDR_OK|QVPOS3); \n++x; \n/* skip uid */ \n+ scan_ulong(x,&u); \n+ uid = u; \nx += byte_chr(x,nughde.s + nughde.len - x,'\\0'); \nif (x == nughde.s + nughde.len) return allowaddr(addr,ADDR_OK|QVPOS4); \n++x; \n/* skip gid */ \n+ scan_ulong(x,&u); \n+ gid = u; \nx += byte_chr(x,nughde.s + nughde.len - x,'\\0'); \nif (x == nughde.s + nughde.len) return allowaddr(addr,ADDR_OK|QVPOS5); \n++x; \n@@ -360,6 +406,8 @@ \nif (!stralloc_copys(&nughde,pw->pw_dir)) die_nomem(); \nif (!stralloc_0(&nughde)) die_nomem(); \nhomedir=nughde.s; \n+ uid = pw->pw_uid; \n+ gid = pw->pw_gid; \n \ngot_nughde: \n \n@@ -380,7 +428,7 @@ \nif (!stralloc_cat(&qme,&safeext)) die_nomem(); \nif (!stralloc_0(&qme)) die_nomem(); \n/* e.g. homedir/.qmail-localpart */ \n- if (stat(qme.s,&st) == 0) return allowaddr(addr,ADDR_OK|QVPOS10); \n+ if (stat_as(uid,gid,qme.s,&st) == 0) return allowaddr(addr,ADDR_OK|QVPOS10); \nif (errno != error_noent) { \nreturn stat_error(qme.s,errno, STATERR|QVPOS11); /* Maybe not running as root so access denied */ \n} \n@@ -394,7 +442,7 @@ \nif (!stralloc_cats(&qme,\"default\")) die_nomem(); \nif (!stralloc_0(&qme)) die_nomem(); \n/* e.g. homedir/.qmail-[xxx-]default */ \n- if (stat(qme.s,&st) == 0) { \n+ if (stat_as(uid,gid,qme.s,&st) == 0) { \n/* if it's ~alias/.qmail-default, optionally check aliases.cdb */ \nif (!i && (quser == auto_usera)) { \nchar *s; \n@@ -423,6 +471,7 @@ \nchar *s; \n \nif (chdir(auto_qmail) == -1) die_control(); \n+ if (control_init() == -1) die_control(); \n \nif (control_rldef(&envnoathost,\"control/envnoathost\",1,\"envnoathost\") != 1) \ndie_control(); \n \n \n \n[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> \n \n \n \nThis message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (\u201cspam\u201d). If you have any concerns about this process, please contact us. \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157805/QSA-qmail.txt"}], "openvas": [{"lastseen": "2020-06-09T17:55:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3811", "CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515", "CVE-2020-3812"], "description": "The remote host is missing an update for the ", "modified": "2020-06-05T00:00:00", "published": "2020-06-05T00:00:00", "id": "OPENVAS:1361412562310892234", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892234", "type": "openvas", "title": "Debian LTS: Security Advisory for netqmail (DLA-2234-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892234\");\n script_version(\"2020-06-05T10:36:02+0000\");\n script_cve_id(\"CVE-2005-1513\", \"CVE-2005-1514\", \"CVE-2005-1515\", \"CVE-2020-3811\", \"CVE-2020-3812\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-05 10:36:02 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 03:00:15 +0000 (Fri, 05 Jun 2020)\");\n script_name(\"Debian LTS: Security Advisory for netqmail (DLA-2234-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2234-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/961060\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'netqmail'\n package(s) announced via the DLA-2234-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"There were several CVE bugs reported against src:netqmail.\n\nCVE-2005-1513\n\nInteger overflow in the stralloc_readyplus function in qmail,\nwhen running on 64 bit platforms with a large amount of virtual\nmemory, allows remote attackers to cause a denial of service\nand possibly execute arbitrary code via a large SMTP request.\n\nCVE-2005-1514\n\ncommands.c in qmail, when running on 64 bit platforms with a\nlarge amount of virtual memory, allows remote attackers to\ncause a denial of service and possibly execute arbitrary code\nvia a long SMTP command without a space character, which causes\nan array to be referenced with a negative index.\n\nCVE-2005-1515\n\nInteger signedness error in the qmail_put and substdio_put\nfunctions in qmail, when running on 64 bit platforms with a\nlarge amount of virtual memory, allows remote attackers to\ncause a denial of service and possibly execute arbitrary code\nvia a large number of SMTP RCPT TO commands.\n\nCVE-2020-3811\n\nqmail-verify as used in netqmail 1.06 is prone to a\nmail-address verification bypass vulnerability.\n\nCVE-2020-3812\n\nqmail-verify as used in netqmail 1.06 is prone to an\ninformation disclosure vulnerability. A local attacker can\ntest for the existence of files and directories anywhere in\nthe filesystem because qmail-verify runs as root and tests\nfor the existence of files in the attacker's home directory,\nwithout dropping its privileges first.\");\n\n script_tag(name:\"affected\", value:\"'netqmail' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1.06-6.2~deb8u1.\n\nWe recommend that you upgrade your netqmail packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"qmail\", ver:\"1.06-6.2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qmail-uids-gids\", ver:\"1.06-6.2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2021-02-02T05:24:36", "description": "Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands.", "edition": 11, "cvss3": {}, "published": "2005-05-11T04:00:00", "title": "CVE-2005-1515", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1515"], "modified": "2020-10-05T21:15:00", "cpe": ["cpe:/a:dan_bernstein:qmail:*"], "id": "CVE-2005-1515", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1515", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:dan_bernstein:qmail:*:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:24:36", "description": "commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without a space character, which causes an array to be referenced with a negative index.", "edition": 11, "cvss3": {}, "published": "2005-05-11T04:00:00", "title": "CVE-2005-1514", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1514"], "modified": "2020-10-05T21:15:00", "cpe": ["cpe:/a:dan_bernstein:qmail:*"], "id": "CVE-2005-1514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1514", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:dan_bernstein:qmail:*:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:24:36", "description": "Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.", "edition": 13, "cvss3": {}, "published": "2005-05-11T04:00:00", "title": "CVE-2005-1513", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1513"], "modified": "2020-10-05T21:15:00", "cpe": ["cpe:/a:dan_bernstein:qmail:*"], "id": "CVE-2005-1513", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1513", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:dan_bernstein:qmail:*:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:08", "description": "qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-05-26T13:15:00", "title": "CVE-2020-3811", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3811"], "modified": "2020-10-05T21:15:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/a:netqmail:netqmail:1.06", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-3811", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3811", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netqmail:netqmail:1.06:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:08", "description": "qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-05-26T13:15:00", "title": "CVE-2020-3812", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3812"], "modified": "2020-10-05T21:15:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/a:netqmail:netqmail:1.06", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-3812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3812", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netqmail:netqmail:1.06:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "freebsd": [{"lastseen": "2020-05-25T21:20:16", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515"], "description": "\nGeorgi Guninski writes:\n\nThere are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).\nUpdate: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.\n\nThe national vulnerability database summarizes:\n\nInteger overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.\n\n", "edition": 1, "modified": "2005-05-06T00:00:00", "published": "2005-05-06T00:00:00", "id": "B495AF21-9E10-11EA-9E83-0CC47AC16C9D", "href": "https://vuxml.freebsd.org/freebsd/b495af21-9e10-11ea-9e83-0cc47ac16c9d.html", "title": "qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-25T21:20:16", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515"], "description": "\nGeorgi Guninski writes:\n\nThere are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).\nUpdate: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.\n\nThe national vulnerability database summarizes:\n\nInteger overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.\n\n", "edition": 1, "modified": "2005-05-06T00:00:00", "published": "2005-05-06T00:00:00", "id": "D6540411-9E10-11EA-9E83-0CC47AC16C9D", "href": "https://vuxml.freebsd.org/freebsd/d6540411-9e10-11ea-9e83-0cc47ac16c9d.html", "title": "qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-25T21:20:16", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515"], "description": "\nGeorgi Guninski writes:\n\nThere are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).\nUpdate: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.\n\nThe national vulnerability database summarizes:\n\nInteger overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.\n\n", "edition": 1, "modified": "2005-05-06T00:00:00", "published": "2005-05-06T00:00:00", "id": "8DB2F8B2-9E12-11EA-9E83-0CC47AC16C9D", "href": "https://vuxml.freebsd.org/freebsd/8db2f8b2-9e12-11ea-9e83-0cc47ac16c9d.html", "title": "qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2020-07-27T01:27:34", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1513", "CVE-2005-1514", "CVE-2005-1515"], "description": "### Background\n\nqmail is a secure, reliable, efficient, simple message transfer agent.\n\n### Description\n\nMultiple vulnerabilities have been discovered in netqmail. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nIn the default configuration, these vulnerabilities are only local. Please review the referenced CVE identifiers for details. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll netqmail users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/netqmail-1.06-r13\"", "edition": 1, "modified": "2020-07-26T00:00:00", "published": "2020-07-26T00:00:00", "id": "GLSA-202007-01", "href": "https://security.gentoo.org/glsa/202007-01", "title": "netqmail: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "cvelist": ["CVE-2005-1515"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in qmail when running on 64 bit platforms with 4GB of virtual memory or more. The 'substdio_put()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the qmail process to crash resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in qmail when running on 64 bit platforms with 4GB of virtual memory or more. The 'substdio_put()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the qmail process to crash resulting in a loss of availability.\n## References:\nSecurity Tracker: 1013911\n[Secunia Advisory ID:15533](https://secuniaresearch.flexerasoftware.com/advisories/15533/)\n[Related OSVDB ID: 16344](https://vulners.com/osvdb/OSVDB:16344)\n[Related OSVDB ID: 16343](https://vulners.com/osvdb/OSVDB:16343)\nOther Advisory URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0101.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0102.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0139.html\nKeyword: Georgi Guninski security advisory #74\n[CVE-2005-1515](https://vulners.com/cve/CVE-2005-1515)\nBugtraq ID: 13536\n", "modified": "2005-05-06T07:03:39", "published": "2005-05-06T07:03:39", "href": "https://vulners.com/osvdb/OSVDB:16345", "id": "OSVDB:16345", "type": "osvdb", "title": "qmail substdio_put Function Signedness Issue", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "cvelist": ["CVE-2005-1513"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in qmail when running on 64 bit platforms with 8 GB virtual memory or more. The 'stralloc_readyplus()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the SMTP service to crash resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in qmail when running on 64 bit platforms with 8 GB virtual memory or more. The 'stralloc_readyplus()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the SMTP service to crash resulting in a loss of availability.\n## References:\nVendor URL: http://cr.yp.to/qmail.html\nSecurity Tracker: 1013911\n[Secunia Advisory ID:15533](https://secuniaresearch.flexerasoftware.com/advisories/15533/)\n[Related OSVDB ID: 16344](https://vulners.com/osvdb/OSVDB:16344)\n[Related OSVDB ID: 16345](https://vulners.com/osvdb/OSVDB:16345)\nOther Advisory URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0101.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0102.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0139.html\nKeyword: Georgi Guninski security advisory #74\nISS X-Force ID: 20497\n[CVE-2005-1513](https://vulners.com/cve/CVE-2005-1513)\nBugtraq ID: 13536\n", "modified": "2005-05-06T07:03:39", "published": "2005-05-06T07:03:39", "href": "https://vulners.com/osvdb/OSVDB:16343", "id": "OSVDB:16343", "type": "osvdb", "title": "qmail stralloc_readyplus Function Remote Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "cvelist": ["CVE-2005-1514"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in qmail when running on 64 bit platforms with 8GB of virtual memory or more. The 'commands()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the process to crash resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in qmail when running on 64 bit platforms with 8GB of virtual memory or more. The 'commands()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the process to crash resulting in a loss of availability.\n## References:\nSecurity Tracker: 1013911\n[Secunia Advisory ID:15533](https://secuniaresearch.flexerasoftware.com/advisories/15533/)\n[Related OSVDB ID: 16343](https://vulners.com/osvdb/OSVDB:16343)\n[Related OSVDB ID: 16345](https://vulners.com/osvdb/OSVDB:16345)\nOther Advisory URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0126.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0101.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0102.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0139.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0349.html\nMail List Post: http://www.gossamer-threads.com/lists/qmail/users/125004?do=post_view_threaded\nKeyword: Georgi Guninski security advisory #74\n[CVE-2005-1514](https://vulners.com/cve/CVE-2005-1514)\n", "modified": "2005-05-06T07:03:39", "published": "2005-05-06T07:03:39", "href": "https://vulners.com/osvdb/OSVDB:16344", "id": "OSVDB:16344", "type": "osvdb", "title": "qmail commands.c Signed Index Issue", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "qualysblog": [{"lastseen": "2020-11-26T12:21:03", "bulletinFamily": "blog", "cvelist": ["CVE-2005-1513"], "description": "The Qualys Security Advisory team has been nominated for five [Pwnie Awards](<https://pwnies.com/nominations/active/>) this year in three different categories. In addition to nominations for Best Privilege Escalation Bug and Best Server-Side Bug (3 nominations), we are proud to be nominated for Epic Achievement.\n\nThe Pwnie Awards are an annual recognition celebrating the achievements of security researchers and the security community. Nominations are taken from the security community at large, and a panel of respected security researchers will review the [Active Nominations](<https://pwnies.com/nominations/active/>) and announce winners in each category at [Black Hat Europe](<https://www.blackhat.com/eu-20/>) on December 9, 2020.\n\n\n\nThe Qualys Security Advisory Team is a nominee in these categories: \n\n### **Epic Achievement**\n\n * [15 years later: Remote Code Execution in qmail (CVE-2005-1513)](<http://15 years later: Remote Code Execution in qmail \\(CVE-2005-1513\\) https://pwnies.com/nominations/active/epic-achievement/qualys-security-advisory-team/>)\n\nIn 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. We recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.\n\n### **Best Privilege Escalation Bug**\n\n * [Local Privilege Escalation in OpenBSD\u2019s dynamic loader](<http://Local Privilege Escalation in OpenBSD\u2019s dynamic loader https://pwnies.com/nominations/active/best-privilege-escalation-bug/local-privilege-escalation-in-openbsd-dynamic-loader/>)\n\nOpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.\n\n### **Best Server-Side Bug**\n\n * [RCE in OpenSMTPD](<http://RCE in OpenSMTPD https://pwnies.com/nominations/active/best-server-side-bug/lpe-and-rce-in-opensmtpd/>)\n\nsmtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \u201cuncommented\u201d default configuration. The issue exists because of an incorrect return value upon failure of input validation. \n\n * [RCE in OpenSMTPD\u2019s Default Install](<http://RCE in OpenSMTPD\u2019s Default Install https://pwnies.com/nominations/active/best-server-side-bug/rce-in-opensmtpd-default-install/>)\n\nOpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling. \n\n * [Remote Code Execution in qmail](<http://Remote Code Execution in qmail https://pwnies.com/nominations/active/best-server-side-bug/remote-code-execution-in-qmail/>)\n\nInteger overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to execute arbitrary code. Remote Code Execution in qmail, CVE-2005-1513\n\n## About Pwnie Awards\n\nThe [Pwnie Awards](<https://en.wikipedia.org/wiki/Pwnie_Awards>) recognize both excellence and incompetence in the field of information security.", "modified": "2020-11-25T16:00:00", "published": "2020-11-25T16:00:00", "id": "QUALYSBLOG:937C75F71B7A9D96B94AA82B974CD3B7", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Qualys Research Nominated for Pwnie Awards 2020", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}