Bug 14056

Summary: procmail new security issue CVE-2014-3618
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/610939/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: procmail-3.22-19.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-09-05 15:13:53 CEST 
A CVE was assigned for a buffer overflow in procmail's formail utility:
http://seclists.org/oss-sec/2014/q3/495

There's a PoC mbox file attached to that message and more details in that thread.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated procmail package fixes security vulnerability:

A heap-based buffer overflow was reported in procmail's formail utility when
parsing addresses with unbalanced quotes (CVE-2014-3618).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618
https://bugzilla.redhat.com/show_bug.cgi?id=1137581
========================

Updated packages in core/updates_testing:
========================
procmail-3.22-18.1.mga3
procmail-3.22-19.1.mga4

from SRPMS:
procmail-3.22-18.1.mga3.src.rpm
procmail-3.22-19.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-05 15:14:04 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-09-05 17:04:18 CEST 
Testing complete mga4 64

Downloaded mbox.bin from the link in comment 0

Before
------
$ formail -s < ./mbox.bin > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x0000000001fad180 ***
Segmentation fault


After
-----
$ formail -s < ./mbox.bin > /dev/null

No segfault so remove the redirect to see what it's doing..

$ formail -s < ./mbox.bin
From 3080872697845058505@null Fri Jul 18 16:00:46 2014
X-Google-Thread: 1101ff,b478806d690fea0
X-Google-Thread: 111f74,9b7e51d2af7e2141
X-Google-Thread: fec13,9b7e51d2af7e2141
X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public
X-Google-Language: ENGLISH,ASCII-7-bit
...etc

Shows the email thread.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 2 claire robinson 2014-09-05 17:21:46 CEST 
Testing mga3 32

Doesn't appear vulnerable.

$ formail -s < mbox.bin 
From 3080872697845058505@null Fri Jul 18 16:00:46 2014
X-Google-Thread: 1101ff,b478806d690fea0
X-Google-Thread: 111f74,9b7e51d2af7e2141
X-Google-Thread: fec13,9b7e51d2af7e2141
X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public
X-Google-Language: ENGLISH,ASCII-7-bit
...etc

$ rpm -q procmail
procmail-3.22-18.mga3

Appears Ok with the update also. I'll check mga3 64 too.
Comment 3 claire robinson 2014-09-05 17:30:23 CEST 
Testing complete mga3 64

It appears to only affect 64bit builds. Adding the OK's.

Before
------
$ formail -s < mbox.bin > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x00000000017ef100 ***
Segmentation fault

After
-----
$ formail -s < mbox.bin 
From 3080872697845058505@null Fri Jul 18 16:00:46 2014
X-Google-Thread: 1101ff,b478806d690fea0
X-Google-Thread: 111f74,9b7e51d2af7e2141
X-Google-Thread: fec13,9b7e51d2af7e2141
X-Google-Attributes: gid1101ff,gid111f74,gidfec13,public
X-Google-Language: ENGLISH,ASCII-7-bit

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 4 David Walser 2014-09-05 17:40:38 CEST 
Debian and Ubuntu have issued advisories for this on September 4:
https://www.debian.org/security/2014/dsa-3019
http://www.ubuntu.com/usn/usn-2340-1/

URL: (none) => http://lwn.net/Vulnerabilities/610939/

Comment 5 claire robinson 2014-09-05 17:42:24 CEST 
Testing complete mga4 32

Again 32bit appears not to be vulnerable.
claire robinson 2014-09-05 17:42:36 CEST

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-09-05 18:29:13 CEST 
Validating. Advisory from comment 0 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2014-09-07 11:56:55 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0373.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED