According to this RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=962988 sometimes passwords are stored in ssmtp.conf which has 644 permissions. Fedora fixed it in this commit: http://pkgs.fedoraproject.org/cgit/ssmtp.git/commit/?id=9f32dc1ab1e24af8d53d5452451c5a1410cd4beb Reproducible: Steps to Reproduce:
If someone can point to actuall patches or fixes and not just a git commit, then I can work with it.
Keywords: (none) => NEEDINFO
The patches weren't relevant to this security issue, the changes made to fix this were in the spec file itself. These were the relevant changes: -install -p -D -m 755 %{name} %{buildroot}%{_sbindir}/%{name} +install -p -D -m 2750 %{name} %{buildroot}%{_sbindir}/%{name} -%{_sbindir}/%{name} +%attr(2755, root, mail) %{_sbindir}/%{name} -%dir %{_sysconfdir}/ssmtp/ +%attr(2750, root, mail) %dir %{_sysconfdir}/ssmtp/ -%config(noreplace) %{_sysconfdir}/ssmtp/ssmtp.conf +%attr(2750, root, mail) %config(noreplace) %{_sysconfdir}/ssmtp/ssmtp.conf
Ah. THat sounds like an easy fix. :-)= Pushed fixed version to Cauldron. Working on mga2 and mga3 fixes now.
Keywords: NEEDINFO => (none)Status: NEW => ASSIGNED
I have uploaded updated packages for mageia 2 and mageia 3. Suggested Advisory: ======================== Under some scenarios, the password used to authenticate to external smtp servers is stored in the config file with world readable permissions. This update fixes this. ======================== Updated mageia 2 packages in core/updates_testing: ssmtp-2.64-5.1.mga2 Source RPM: ssmtp-2.64-5.1.mga2.src.rpm Updated mageia 3 packages in core/updates_testing: ssmtp-2.64-8.1.mga3 Source RPM: ssmtp-2.64-8.1.mga3.src.rpm
Status: ASSIGNED => NEWCC: (none) => cookerAssignee: cooker => qa-bugsWhiteboard: (none) => MGA2TOO, MGA3TOO
Version: Cauldron => 3Whiteboard: MGA2TOO, MGA3TOO => MGA2TOO
Tested MGA3 32 installed ssmtp-2.64.8.mga3 ls -l /etc/ssmtp -rw-r--r-- 1 root root 200 Mar 20 09:06 revaliases -rw-r--r-- 1 root root 1280 Mar 20 09:06 ssmtp.conf urpmi ssmtp-2.64-8.1.mga3 $MIRRORLIST: media/core/updates_testing/ssmtp-2.64-8.1.mga3.i586.rpm installing ssmtp-2.64-8.1.mga3.i586.rpm from /var/cache/urpmi/rpms Preparing... ###################################################### 1/1: ssmtp ls -l /etc/ssmtp ls: cannot open directory /etc/ssmtp: Permission denied sudo ls -l /etc/ssmtp total 8 -rwxr-s--- 1 root mail 200 Jul 12 19:40 revaliases -rwxr-s--- 1 root mail 1280 Jul 12 19:40 ssmtp.conf
CC: (none) => martynvidler
I forgot to put the /etc/ssmtp dir permissions The dir /etc/ssmtp permissions drwxr-s--- 2 root mail 4096 Jul 13 07:47 ssmtp/
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-ok
Tested MGA3 64 $MIRRORLIST: media/core/release/ssmtp-2.64-8.mga3.x86_64.rpm installing ssmtp-2.64-8.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ###################################################### 1/1: ssmtp ls -l /etc/ssmtp total 8 -rw-r--r-- 1 root root 200 Mar 20 09:06 revaliases -rw-r--r-- 1 root root 1280 Mar 20 09:06 ssmtp.conf ls -l ssmtp drwxr-xr-x 2 root root 4096 Jul 13 18:19 ssmtp $MIRRORLIST: media/core/updates_testing/ssmtp-2.64-8.1.mga3.x86_64.rpm installing ssmtp-2.64-8.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ##################################################### 1/1: ssmtp ls -l /etc/ssmtp ls: cannot open directory /etc/ssmtp: Permission denied sudo ls -l /etc/ssmtp total 8 -rwxr-s--- 1 root mail 200 Jul 12 19:40 revaliases -rwxr-s--- 1 root mail 1280 Jul 12 19:40 ssmtp.conf etc$ ls -l | grep ssmtp drwxr-s--- 2 root mail 4096 Jul 13 18:24 ssmtp/
Whiteboard: MGA2TOO MGA3-32-ok => MGA2TOO MGA3-32-ok MGA3-64-ok
Testing complete mga2 64 Before ------ # ll -d /etc/ssmtp drwxr-xr-x 2 root root 4096 Jul 16 16:29 /etc/ssmtp/ # ll /etc/ssmtp total 8 -rw-r--r-- 1 root root 200 May 8 2011 revaliases -rw-r--r-- 1 root root 1280 May 8 2011 ssmtp.conf After ----- # ll -d /etc/ssmtp drwxr-s--- 2 root mail 4096 Jul 16 16:32 /etc/ssmtp/ # ll /etc/ssmtp total 8 -rwxr-s--- 1 root mail 200 Jul 12 20:03 revaliases* -rwxr-s--- 1 root mail 1280 Jul 12 20:03 ssmtp.conf* The 's' in the group showing setgid.
Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok mga2-64-ok
Advisory from comment 4 uploaded as a bugfix advisory. There are no CVE's for this but it is security of sorts so we may need to change it later. Still in need of testing mga2 32
MGA2 32 ssmtp-2.64-5.mga1.i586 ll -d /etc/ssmtp drwxr-xr-x 2 root root 4096 Jul 16 19:39 /etc/ssmtp/ ll /etc/ssmtp total 8 -rw-r--r-- 1 root root 200 May 8 2011 revaliases -rw-r--r-- 1 root root 1280 May 8 2011 ssmtp.conf ssmtp-2.64-5.1.mga2.i586 ll -d /etc/ssmtp drwxr-s--- 2 root mail 4096 Jul 16 19:48 /etc/ssmtp/ ll /etc/ssmtp ls: cannot open directory /etc/ssmtp: Permission denied sudo ls -l /etc/ssmtp total 8 -rwxr-s--- 1 root mail 200 Jul 12 20:03 revaliases -rwxr-s--- 1 root mail 1280 Jul 12 20:03 ssmtp.conf Validating Advisory & SRPM in comment 4 Can someone from sysadmin please push from core/updates_testing to core/updates
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok mga2-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok mga2-64-ok MGA2-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGAA-2013-0064.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED