-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                   AMaViS Security Announcement

Date:                   09/03/2002
affected  version(s):   AMaViS-0.2.x, all amavis shell script
                        versions
			amavis-perl/amavisd is _NOT_ affected
Vulnerability Type:     possible DoS attack by a special crafted TAR
			archive file
Priority:               urgent
Solution:               apply patch to securetar
Author:                 Rainer Link <link@suse.de>
Advisory ID:            ASA-2002-2
Contact:		security@amavis.org

- ----------------------------------------------------------------------------

1. Problem description
The AMaViS shell script version (AMaViS 0.1.x / 0.2.x) uses securetar.
securetar removes the pathes of files in a tar archive and makes each
file name a unique name. Links, character devices, block devices and named
pipes will be removed from the archive.
A special-crafted TAR file may hung securetar forever, using up to
100% CPU time.
 

2. Impact
A DoS attack against the mail server may be possible.


3. Solution
We strongly recommend to upgrade to amavis-perl/amavisd, 
as the development of AMaViS 0.2.x branch has been discontinued since
July, 2001
(http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2)

If it's not possible to upgrade to amavis-perl/amavis, please apply
the following patch to securetar, compile it and install the new securetar
binary by overwriting the old one, i.e.

/usr/local/src/amavis-0.2.1/src/securetar# patch -p3 < securetar.c.dif
/usr/local/src/amavis-0.2.1/src/securetar# gcc -o securetar securetar.c
/usr/local/src/amavis-0.2.1/src/securetar# cp -a securetar /usr/bin

- --- amavis-0.2.1.orig/src/securetar/securetar.c Fri May 26 11:53:27 2000
+++ amavis-0.2.1/src/securetar/securetar.c      Tue Sep  3 15:22:58 2002
@@ -231,8 +231,8 @@
                /************************************/
                /* Write out the corresponding data */
                /************************************/
- -               while( FileSize>0 ) {
- -                       FileSize-=(long)count=read(fdin,&block,sizeof(block));
+                while( FileSize>0 && (count=read(fdin,&block,sizeof(block))) ) {
+                        FileSize-=(long)count;
                        write( fdout, &block, count );
                }
        }


4. Acknowledgement
This bug was reported by Georgy Salnikov directly to me. 

5. References
http://www.amavis.org/


6. Revision History
09/03/2002: Initial release

===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9dwp8mxoFTBO0QHkRAnYMAJ4hycCIST5lZk9zN+0Th8c6JZ3QmQCgleoV
UabDs0CJmavH5sjm4qcfKDI=
=oQQz
-----END PGP SIGNATURE-----