Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

procmail.overflows.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Procmail updated to fix buffer overflows and improve security. Upgrade is recommended immediately.

Code
`Date: Mon, 5 Apr 1999 02:23:59 -0500  
From: Philip Guenther <[email protected]>  
To: [email protected]  
Subject: Re: [SECURITY] new version of procmail with security fixes  
  
[email protected] writes:  
>A new version of procmail has been released which fixes a couple  
>of buffer overflows and has extra security checks.  
>  
>We recommend you upgrade your procmail package immediately.  
  
As the person who fixed most of those overflows I suppose I should  
elaborate on this.  
  
First off, for non-debian users, the source to the current procmail  
release can be fetched from:  
  
http://www.procmail.org/procmail.tar.gz  
ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz  
  
PGP signatures can be found next to the those (".sig"), made by the key  
with keyid 0x4A25D351, availible on the keyservers or at  
http://www.procmail.org/pgp-key.html  
  
Mirrors will be announced on the procmail webpage  
(http://www.procmail.org/) as they are confirmed.  
  
  
All versions of procmail previous to 3.12 could overflow heap allocated  
buffers, either when given a sufficiently long command line argument,  
or during expansions while processing procmailrc files. If the later  
occurs during the processing of /etc/procmailrc on systems where  
procmail is installed setuid root or is run as the local delivery  
agent, root access may be obtainable. If procmail is installed setgid,  
then the command line overflow exposes that group, but not (directly)  
root. Overflows that occur while processing user procmailrc files may  
give out setgid and/or that user's access.  
  
  
The details are similar to any other program with heap-allocated buffer  
overflow. None of overflows directly involved the message being  
processed, but rather were triggered by expansions in the user's  
procmailrc file. Since only the user can change that, there should be  
no problem...except that:  
  
a) procmail is installed setgid mail on many systems and (depending on  
the spool configuration and system) may not have given up those  
privileges, and  
b) many rcfiles extract data from the message (say, the contents of a  
header, or a snippet of the body) and then use that in later  
conditions.  
  
(a) means that a local user may be able to obtain setgid mail rights,  
while (b) means that remote exploits may be possible. However, even  
when self-inflicted with no gain, crashing on overflow is just rude.  
  
Closing the overflows has been a matter of simply checking, in the  
correct places, that there's enough space to do what needs to be done.  
While I can't rule out doing so in the future, we have not moved to a  
scheme of dynamically allocating everything, partly because I don't  
have the time to debug such a scheme, and partly because it isn't clear  
that it would even be the right thing to do (think DOS-attacks).  
  
I'm not claiming to have fixed them all -- I've been following this  
list too long to be that stupid -- but we have our eyes open and are  
actively working on catching them when we find them. Bug reports and  
comments should be sent to <[email protected]>.  
  
I have not heard of or seen any exploits. (Waste of typing to say that.)  
  
  
Philip Guenther  
  
----------------------------------------------------------------------  
[email protected] UNIX Systems and Network Administrator  
Gustavus Adolphus College St. Peter, MN 56082-1498  
Source code never lies: it just misleads (Programming by Purloined Letter?)  
  
--------------------------------------------------------------------------------  
  
Date: Tue, 6 Apr 1999 16:56:16 -0500  
From: Philip Guenther <[email protected]>  
To: [email protected]  
Subject: Procmail version 3.13.1 released  
  
How apt my previous words...  
  
I have released procmail version 3.13.1, which fixes a few buffer  
overflow that I had missed previously and eliminates a keyword conflict  
with newer versions of gcc. These buffer overflows are probably  
'slightly more difficult' to exploit as they involve particular  
variables instead of variable expansion in general.  
  
My apologies to those who downloaded version 3.13 yesterday.  
  
  
http://www.procmail.org/procmail.tar.gz  
ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz  
  
  
Debian has been notified and so will probably be releasing an updated  
package shortly. (If other vendors want to be notified of procmail  
releases ahead of time they should e-mail me.)  
  
  
Philip Guenther  
  
Procmail Maintainer  
[email protected]  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
0.1Low risk
Vulners AI Score0.1
procmail updatebuffer overflowsecurity checksroot accesssetgid installuser access
25