-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 08/02/2000 affected version(s): AMaViS-Perl below AMaViS-Perl-8 AMaViS-0.2.1-pre1 / -pre2 AMaViS-0.2.0-pre6-clm-rl-8-12-06-2000 and later AMaViS-Perl-7 provided by SuSE as rpm is *NOT* affected Vulnerability Type: AMaViS can lose parts of email messages Priority: urgent Solution: apply patch Author: Lars Hecking Rainer Link Advisory ID: ASA-2000-4 - --------------------------------------------------------------------------- 1. Problem description In some configurations, e.g. relay type setups, scanmails (AMaViS) and amavis (AMaViS-Perl) is using sendmail or other MTA's sendmail wrappers to reinject scanned emails back into the mail system. If an email message contains a single dot on a line by itself, the sendmail program/wrapper will truncate that message at the dot, as amavis/scanmails fails to call sendmail with the "IgnoreDots" cmd line option (-i). In detail: AMaViS (scanmails) used with the following MTAs: * sendmail, scanmails is called via Mlocal: NOT affected * sendmail (relay setup): affected * postfix: affected * exim: NOT affected * qmail: NOT affected AMaViS-Perl (amavis) used with the following MTAs: * sendmail, amavis is called via Mlocal: NOT affected * postfix (relay setup): affected * postfix with procmail: NOT affected * qmail: NOT affected AMaViS-Perl-7 (amavis-7-0.i386.rpm), available at ftp://ftp.suse.com/pub/suse_update/imap/1.0/virus/ is *NOT* affected. This version is mainly for use with the SuSE eMail server. 2. Impact Obvious. All parts of an email message after and including a solitary dot are lost. This problem affects all setups where mail leaves amavis through sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix setups as described in AMaViS-Perl's README.postfix are affected. The same is valid to AMaViS's README.postfix and AMaViS's README.sendmail. 3. Solution 3.1 AMaViS-Perl Locate the following code in the amavis-perl script if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); } else { @LDAARGS = (); } and change it to if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); unshift(@LDAARGS, "-oi "); } else { @LDAARGS = (); } This problem is fixed in AMaViS-Perl-8. 3.2 All non-perl versions of AMaViS Apply the attached patch to the scanmails script. It should apply ok with more or less fuzz. This problem is fixed in AMaViS 0.2.1-pre3. 4. Acknowledgement I discovered this by accident after receiving a mail message on the postfix-users mailing list which quoted more parts of another message than I remembered getting. Rainer Link provided the patch for scanmails. 5. References https://sourceforge.net/projects/amavis/ http://amavis.org/ 6. Revision History 08/02/2000: initial release 08/02/2000: some changes 08/04/2000: updated as AMaViS-Perl-7, provided by SuSE, is not affected 10/25/2000: updated as AMaViS-Perl-8 and AMaViS 0.2.1-pre3 released =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE59xxOmxoFTBO0QHkRAlTaAJ9GzfMchwxpzF8w40UKPEWwi5iWDACfXyd8 BzZl2oUvhnpuG7YbVBw9ZEU= =r4Y0 -----END PGP SIGNATURE-----