SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) (fwd)
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Nov 5 17:01:37 GMT 2002
MailScanner does not use the Mail::Mailer mechanism to send mail. It always
does that by calling sendmail directly.
Therefore there is no reason to suspect that MailScanner might be
vulnerable to this problem.
At 16:47 05/11/2002, you wrote:
>Hi!
>
>Perhaps interesting for some of you...
>
>---------- Forwarded message ----------
>Date: Tue, 5 Nov 2002 12:14:35 +0100 (MET)
>From: Sebastian Krahmer <krahmer at suse.de>
>To: bugtraq at securityfocus.com
>Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041)
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>______________________________________________________________________________
>
> SuSE Security Announcement
>
> Package: perl-MailTools
> Announcement-ID: SuSE-SA:2002:041
> Date: Tue Nov 5 11:30:00 CET 2002
> Affected products: 7.1, 7.2, 7.3, 8.0, 8.1
> SuSE eMail Server III, 3.1
> Vulnerability Type: remote command execution
> Severity (1-10): 6
> SuSE default package: no
> Cross References: -
>
> Content of this advisory:
> 1) security vulnerability resolved: Remote command execution via
> Mail::Mailer package.
> problem description, discussion, solution and upgrade information
> 2) pending vulnerabilities, solutions, workarounds: -
> 3) standard appendix (further information)
>
>______________________________________________________________________________
>
>1) problem description, brief discussion, solution, upgrade information
>
> The SuSE Security Team reviewed critical Perl modules, including the
> Mail::Mailer package. This package contains a security hole which allows
> remote attackers to execute arbitrary commands in certain circumstances.
> This is due to the usage of mailx as default mailer which allows commands
> to be embedded in the mail body.
> Vulnerable to this attack are custom auto reply programs or spam
> filters
> which use Mail::Mailer directly or indirectly.
>
> Please download the update package for your distribution and verify its
> integrity by the methods listed in section 3) of this announcement.
> Then, install the package using the command "rpm -Fhv file.rpm" to apply
> the update.
> Our maintenance customers are being notified individually. The packages
> are being offered to install from the maintenance web.
>
>
> i386 Intel Platform:
>
> SuSE-8.1
>
>ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/perl-MailTools-1.47-29.i586.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/perl-MailTools-1.47-29.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
> SuSE-8.0
>
>ftp://ftp.suse.com/pub/suse/i386/update/8.0/perl3/perl-MailTools-1.42-120.i386.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/perl-MailTools-1.42-120.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
> SuSE-7.3
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.3/perl2/perl-MailTools-1.1401-187.i386.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/perl-MailTools-1.1401-187.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
> SuSE-7.2
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.2/perl2/perl-MailTools-1.1401-187.i386.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/perl-MailTools-1.1401-187.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
> SuSE-7.1
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.1/perl2/perl-MailTools-1.1401-188.i386.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/perl-MailTools-1.1401-188.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
>
> Sparc Platform:
>
> SuSE-7.3
>
>ftp://ftp.suse.com/pub/suse/sparc/update/7.3/perl2/perl-MailTools-1.1401-65.sparc.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/perl-MailTools-1.1401-65.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
>
> AXP Alpha Platform:
>
> SuSE-7.1
>
>ftp://ftp.suse.com/pub/suse/axp/update/7.1/perl2/perl-MailTools-1.1401-69.alpha.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/perl-MailTools-1.1401-69.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
>
> PPC Power PC Platform:
>
> SuSE-7.3
>
>ftp://ftp.suse.com/pub/suse/ppc/update/7.3/perl2/perl-MailTools-1.1401-110.ppc.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/perl-MailTools-1.1401-110.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
> SuSE-7.1
>
>ftp://ftp.suse.com/pub/suse/ppc/update/7.1/perl2/perl-MailTools-1.1401-111.ppc.rpm
> d41d8cd98f00b204e9800998ecf8427e
> source rpm:
>
>ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/perl-MailTools-1.1401-111.src.rpm
> d41d8cd98f00b204e9800998ecf8427e
>
>______________________________________________________________________________
>
>2) Pending vulnerabilities in SuSE Distributions and Workarounds:
>
> There is no additional information this time.
>
>______________________________________________________________________________
>
>3) standard appendix: authenticity verification, additional information
>
> - Package authenticity verification:
>
> SuSE update packages are available on many mirror ftp servers all over
> the world. While this service is being considered valuable and important
> to the free and open source software community, many users wish to be
> sure about the origin of the package and its content before installing
> the package. There are two verification methods that can be used
> independently from each other to prove the authenticity of a downloaded
> file or rpm package:
> 1) md5sums as provided in the (cryptographically signed) announcement.
> 2) using the internal gpg signatures of the rpm package.
>
> 1) execute the command
> md5sum <name-of-the-file.rpm>
> after you downloaded the file from a SuSE ftp server or its mirrors.
> Then, compare the resulting md5sum with the one that is listed in the
> announcement. Since the announcement containing the checksums is
> cryptographically signed (usually using the key security at suse.de),
> the checksums show proof of the authenticity of the package.
> We disrecommend to subscribe to security lists which cause the
> email message containing the announcement to be modified so that
> the signature does not match after transport through the mailing
> list software.
> Downsides: You must be able to verify the authenticity of the
> announcement in the first place. If RPM packages are being rebuilt
> and a new version of a package is published on the ftp server, all
> md5 sums for the files are useless.
>
> 2) rpm package signatures provide an easy way to verify the authenticity
> of an rpm package. Use the command
> rpm -v --checksig <file.rpm>
> to verify the signature of the package, where <file.rpm> is the
> filename of the rpm package that you have downloaded. Of course,
> package authenticity verification can only target an un-installed rpm
> package file.
> Prerequisites:
> a) gpg is installed
> b) The package is signed using a certain key. The public part of this
> key must be installed by the gpg program in the directory
> ~/.gnupg/ under the user's home directory who performs the
> signature verification (usually root). You can import the key
> that is used by SuSE in rpm packages for SuSE Linux by saving
> this announcement to a file ("announcement.txt") and
> running the command (do "su -" to be root):
> gpg --batch; gpg < announcement.txt | gpg --import
> SuSE Linux distributions version 7.1 and thereafter install the
> key "build at suse.de" upon installation or upgrade, provided that
> the package gpg is installed. The file containing the public key
> is placed at the top-level directory of the first CD (pubring.gpg)
> and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
>
>
> - SuSE runs two security mailing lists to which any interested party may
> subscribe:
>
> suse-security at suse.com
> - general/linux/SuSE security discussion.
> All SuSE security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-subscribe at suse.com>.
>
> suse-security-announce at suse.com
> - SuSE's announce-only mailing list.
> Only SuSE's security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-announce-subscribe at suse.com>.
>
> For general information or the frequently asked questions (faq)
> send mail to:
> <suse-security-info at suse.com> or
> <suse-security-faq at suse.com> respectively.
>
> =====================================================================
> SuSE's security contact is <security at suse.com> or <security at suse.de>.
> The <security at suse.de> public key is listed below.
> =====================================================================
>______________________________________________________________________________
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In particular,
> it is desired that the clear-text signature shows proof of the
> authenticity of the text.
> SuSE Linux AG makes no warranties of any kind whatsoever with respect
> to the information contained in this security advisory.
>
>Type Bits/KeyID Date User ID
>pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security at suse.de>
>pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build at suse.de>
>
>- -----BEGIN PGP PUBLIC KEY BLOCK-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
>4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
>M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
>QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
>XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
>D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
>G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
>CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
>myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
>YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
>wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
>NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
>QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
>LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
>XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
>D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
>0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
>1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
>cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
>ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
>AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
>Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
>HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
>t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
>tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
>523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
>2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
>QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
>JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
>1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
>ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
>wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
>EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
>0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
>CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
>SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
>omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
>A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
>/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
>GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
>ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
>ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
>RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
>8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
>B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
>11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
>8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
>qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
>WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
>hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
>BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
>AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
>RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
>zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
>/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
>whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
>D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
>dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
>RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
>DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
>=LRKC
>- -----END PGP PUBLIC KEY BLOCK-----
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3i
>Charset: noconv
>
>iQEVAwUBPcelXXey5gA9JdPZAQGIhAf/ZouJs+LaHJo3nAU9BvnwHAWbY4vdbDqO
>Il9fPVu9UGaH03nnZdR/IxkBJHtvoUE33aBpWqW2q704h1o9p1jmxe6Us7AGSEq8
>27MUPAodZMWzqVV1VrzcLzvRPU+/Ve8wfNhfzSx6/Jt0FF3syrxZ5P1NKtq3sJVj
>ZObi5tp+UPdpNxXx85vrk4kpBc8MaO5zJ6ugpwNBfK2sUpJx2R/jqYXYjGlDEiBN
>eRF/e+fHlVN2Tm2pAsg3tiuEEikKCP+3A5bDgX6705SGlu20T9VjfDCxN9VLzrwN
>coULhgDqNh3Qhr+F9xfLKT42ZysEeysLDXj0TCfvGQoWQUntgOtO0w==
>=Pwj8
>-----END PGP SIGNATURE-----
>
>--
>~
>~ perl self.pl
>~ $_='print"\$_=\47$_\47;eval"';eval
>~ krahmer at suse.de - SuSE Security Team
>~
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list