Gentoo Logo

Xmail: Privilege escalation through sendmail

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200512-05 / xmail
Release Date December 14, 2005
Latest Revision December 14, 2005: 01
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
mail-mta/xmail < 1.22 >= 1.22 All supported architectures

Related bugreports: #109381

Synopsis

The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation.

2.  Impact Information

Background

Xmail is an Internet and intranet mail server.

Description

iDEFENSE reported that the AddressFromAtPtr function in the sendmail program fails to check bounds on arguments passed from other functions, and as a result an exploitable stack overflow condition occurs when specifying the "-t" command line option.

Impact

A local attacker can make a malicious call to sendmail, potentially resulting in code execution with elevated privileges.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Xmail users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/xmail-1.22"

4.  References

Print

Page updated December 14, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.