-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                   AMaViS Security Announcement

Date:                   2004-03-06
affected version(s):    amavis-0.1.x, amavis-0.2.x
			if metamail is used
Vulnerability Type:     metamail format string bugs and buffer overflows 
Priority:               urgent
Solution:               update metamail 
			use ripmime / reformime instead
			switch to amavis 0.3.x, amavisd, amavisd-new
			or amavis-ng
Author:                 Rainer Link <rainer@openantivirus.org>
Advisory ID:            ASA-2004-2
Contact:                security@amavis.org
WWW:			http://www.amavis.org/security/

- -----------------------------------------------------------------------------

1. Problem description
Ulf Harnhammar found two format strings bugs and two buffer overflows
in metamail 2.2 - 2.7 (possibly others as well).

amavis 0.1.x and amavis 0.2.x uses metamail do split a eMail message in 
its parts, i.e. the mail body and the attachment file(s). amavis 0.2.1
is able to use ripmime or reformime to perform the same task as well.

2. Impact
Possible remote system compromise by special-crafted mail.

3. Solution

We strongly recommend to upgrade to amavis 0.3.x, amavisd, amavisd-new
or amavis-ng. The development of amavis 0.1.x / 0.2.x has been
discontinued since July, 2001. 

If this is not possible:

A) As metamail is not maintained anymore, it's recommended to
use reformime or ripmime instead. Please keep in mind this needs
some manual changes in /usr/sbin/scanmails:

* To use reformime:
metamail=/path/to/reformime
${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > \
/dev/null 2>&1 

* To use ripmime:
metamail=/path/to/ripmime
${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail \
- --unique_names > /dev/null 2>&1

(see http://www.amavis.org/security/asa-2001-1.txt)

Or

B) Apply patch by Ulf Harnhammer, 
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html


4. Acknowledgment


5. References
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html
http://www.amavis.org/security/asa-2000-1.txt
http://www.amavis.org/security/asa-2001-1.txt
http://www.amavis.org/security/asa-2002-1.txt
http://www.amavis.org/security/

6. Revision History
2004-03-06: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFASlZTmxoFTBO0QHkRAom5AJ48OVY0U7aEP49ldpSg02uKheO4LgCfZJfL
qVg8pG2D7M6j4K8yWB/zxpQ=
=geaZ
-----END PGP SIGNATURE-----