Gentoo Logo

Xmail: Privilege escalation through sendmail


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200512-05 / xmail
Release Date December 14, 2005
Latest Revision December 14, 2005: 01
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
mail-mta/xmail < 1.22 >= 1.22 All supported architectures

Related bugreports: #109381


The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation.

2.  Impact Information


Xmail is an Internet and intranet mail server.


iDEFENSE reported that the AddressFromAtPtr function in the sendmail program fails to check bounds on arguments passed from other functions, and as a result an exploitable stack overflow condition occurs when specifying the "-t" command line option.


A local attacker can make a malicious call to sendmail, potentially resulting in code execution with elevated privileges.

3.  Resolution Information


There is no known workaround at this time.


All Xmail users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/xmail-1.22"

4.  References


Page updated December 14, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.