-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 2004-05-02 affected version(s): amavis-0.1.x, amavis-0.2.x, amavis 0.3.x, amavisd, amavisd-new, amavis-ng Vulnerability Type: LHa buffer overflows and directory traversal problems Priority: urgent Solution: update LHa or apply patch for LHa References: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal) Author: Rainer Link Advisory ID: ASA-2004-3 Contact: security@amavis.org WWW: http://www.amavis.org/security/ - ----------------------------------------------------------------------------- 1. Problem description Ulf Harnhammar found two stack-based buffer overflows and two directory traversal problems in LHa 1.14d to 1.14i and 1.17 (possibly others). All AMaViS versions use the LHa program to extract LHarc/LZH archives. 2. Impact Arbitrary code execution, overwriting important system files. The impact depends on the used AMaViS version (see below). 3. Solution * amavis 0.1.x / 0.2.x We strongly recommend to upgrade to amavis 0.3.x, amavisd, amavisd-new or amavis-ng. The development of amavis 0.1.x / 0.2.x has been discontinued since July, 2001. Moreover, the security maintenance will end on August, 1st 2004. amavis 0.1.x / 0.2.x is affected by all issues found by Ulf Harnhammar. Moreover, in some configurations these amavis versions run as root, which makes it possible to overwrite any (system) file or allows a possible remote system compromise! Please fetch the update of LHa from your vendor (if available) or apply the patch provided by Ulf Harnhammar as soon as possible Get the patch from: http://marc.theaimsgroup.com/?l=full-disclosure&m=108345064008698&w=2 * amavis 0.3.x, amavisd, amavisd-new, amavis-ng Those versions take some precautings when calling external programs and extracting files. The original (full path) name(s) will not be used. Moreover, those versions don't run as root when set up properly (they do not run as root per default but as a special, non-privileged user; amavisd-new can be run chroot'ed as well). Therefore, the two directory traversal problems should not be an issue. Nevertheless, please fetch the update of LHa from your vendor (if available) or apply the patch provided by Ulf Harnhammar as soon as possible. Get the patch from: http://marc.theaimsgroup.com/?l=full-disclosure&m=108345064008698&w=2 4. Acknowledgment We would like to thank Ulf Harnhammar for disclosing those vulnerabilities to the public. 5. References http://marc.theaimsgroup.com/?l=full-disclosure&m=108345064008698&w=2 https://rhn.redhat.com/errata/RHSA-2004-179.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0235 6. Revision History 2004-05-02: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAlSkgmxoFTBO0QHkRAutgAJwOnSVxzMkRZy8IWLULH+FTmMWzjgCdF1Ba +G4vvRq8cJ4gMmDvpQ1gfpY= =2XeT -----END PGP SIGNATURE-----