Re: [hypermail] Hypermail Security Fixes

From: kent landfield <kent_at_hypermail.org_at_hypermail-project.org>
Date: Thu, 27 Feb 2003 13:35:21 -0600 (CST)
Message-Id: <20030227193521.44DF827019E_at_dev.hypermail.org>


It is also available from the main distribution site at

    http://www.hypermail.org/dist/hypermail-2.1.7.tar.gz

The file 'http://www.hypermail.org/dist/hypermail.tar.gz' is always a link to most current stable version.

Peter C. McCluskey writes:
> Version 2.1.7 is now available on Sourceforge:
> http://prdownloads.sourceforge.net/hypermail/hypermail-2.1.7.tar.gz
>
> SUMMARY:
>
> It should be understood that no known exploits exist at present for
> the security issues listed below. This proactive review of the code
> was taken to better secure hypermail. It is unclear whether any
> exploits were possible on a typical installation.
>
> Problems in utility programs other than the main Hypermail binary:
>
> Temp file race conditions were potentially possible in msg2archive.c
> and in mbox2hypermail.c (in the archive directory). They have been corrected.
>
> popen was used in the mail utility and the archive/msg2archive utility.
> msg2archive usage: The 'msg2archive' utility can be useful for archiving
> mail into mailboxes as well as calling hypermail. In order to be
> exploited, the administrator would have had to install it with special
> privileges (such as setuid) which has never been needed or suggested.
> The level of potential exposure is low. Nevertheless, the utility has
> been modified to better protect against abuse.
> Mail usage: The 'mail' utility was not installed by default and has not
> been for the last two years. In any case, the hypermail development
> team has determined that the 'mail' utility is a historic relic and
> will not be supplied in future versions. Its functionality has been
> replaced with a warning that anyone using it should remove it immediately.
>
> Security-related changes to the main Hypermail program:
>
> Fixed a possible buffer overflow with long filenames in uuencoded attachments.
> This appears to have been a risk only on systems where MAXPATHLEN or PATH_MAX
> was defined in system headers to be less than 1024.
>
> Disabled conversion of file:// into href - it seemed to allow anyone
> who could access the web server via localhost to read any file
> that the web server had permission to read rather than just files
> in the archive directory.
>
> Fixed and replaced various non-bound-checking code parts to
> avoid possible code execution or denial-of-service conditions.
>
> Replaced sprintfs with snprintfs to do bounds checking in places where it
> was hard to tell whether buffer overflows were possible.
>
> Limited the length of "Subject" and alike to avoid denial of service attacks
> while calling alloc.
>
> Changes unrelated to security:
> Fixed decoding of non-ascii headers.
> Fixed append option (was discarding some lines).
> Fixed random core dumps with files_by_thread option.
> Fixed compile problems on SunOS and Alpha running TRU64.
> See the Changelog for further details.
>
> The Hypermail Development Team would like to greatly thank
> Thomas Biege <thomas_at_suse.de> for assisting us with this
> review.
> --
> ------------------------------------------------------------------------------
> Peter McCluskey |
> http://www.rahul.net/pcm |
>

-- 
Kent Landfield             |  HYPERMAIL: http://www.hypermail.org/ 
Email: kent_at_hypermail.org  |  RFCS: http://www.faqs.org/rfcs/
Received on Thu 27 Feb 2003 10:20:48 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT