-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 2006-12-08 affected version(s): amavis, amavisd, amavisd-new, amavis-ng Vulnerability: Convert::UUlib 1.04 exploitable buffer overflow Priority: urgent Solution: update to Convert:UUlib 1.05 or later References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1349 Author: Mark Martinec Rainer Link Advisory ID: ASA-2006-1 Contact: security@amavis.org WWW: http://www.amavis.org/security/ - ----------------------------------------------------------------------------- 0. Preface As amavisd-new (http://www.ijs.si/software/amavisd/) is currently the only maintained AMaViS branch, most of the following refers to amavisd-new. 1. Problem description A security issue in the BinHex parsing code of Convert::UUlib can lead to a heap overflow. 2. Impact Gain shell access to a remote system running a content filter which uses Convert::UUlib 1.04 or earlier. 3. Solution Update Convert::UUlib to 1.05 or later. * How to check which version is currently installed The following command will write version of the module to stdout: perl -MConvert::UUlib -le 'print Convert::UUlib->VERSION' The command assumes there is only one version of Perl installed on the system. If this is not the case, make sure to invoke the same version of perl as is used by a content filter (e.g. see the first line of file /usr/local/sbin/amavisd for full path to perl). * Which systems are vulnerable Systems running amavisd-new-2.3.0 or later are NOT vulnerable, because amavisd refuses to start if the version of Convert::UUlib is older than 1.05; Systems running versions of amavisd-new older than 2.3.0 do not check for version of Convert::UUlib and may be vulnerable if administrators failed to upgrade Convert::UUlib to 1.05 or 1.06. Impact on vulnerable systems is a possible execution of arbitrary code with privileges of the process running amavisd, i.e. vscan or amavis. Impact is restricted to a chroot jail if amavisd is running chrooted. Similarly, other branches of AMaViS may not be checking for version of Convert::UUlib and may fail to notice vulnerability (amavis-perl, amavisd-snapshot, amavis-ng), so it is up to the mail administrator to check that the installed version of Convert::UUlib is not vulnerable. The same may apply to derivatives of amavisd-new with branch-point before the amavisd-new-2.3.0. 4. Acknowledgement I must thank Jean-Sebastien Guay-Leroux for his security-related work and for providing valuable feedback to authors of software and to public. 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1349 http://www.guay-leroux.com/projects.html http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt http://www.ijs.si/software/amavisd/#sec http://www.amavis.org/security/ 6. Background information In 2005-04 a bug was discovered in the uulib library as used by a Perl module Convert::UUlib version 1.04 or earlier. This is an integer overflow problem, leading to a buffer overflow. At the time it was not known whether the bug is exploitable, nevertheless users have since then been warned to use a newer version of Convert::UUlib - first the 1.05, and later the 1.06 when it became available by the end of 2005 (now at 1.08). The problem was discussed on the amavis-user mailing list, and a warning is posted on the amavisd-new web page and in the INSTALL document. On 2006-12-05 an advisory on security implications of this bug was disclosed to the public, thanks to Jean-Sebastien Guay-Leroux, who demonstrated that the uulib bug is exploitable and can provide shell access (with privileges of the process invoking uulib) to an attacker who can send a specially crafted e-mail to a mail decoding program. This may be a good opportunity to check other decoding and virus-checking components for known vulnerabilities. It is imperative that security- sensitive software is regularly updated, as new bugs are being found and fixed, and as security implications of old bugs become better understood. Some more prominent components that are worth checking: Convert::UUlib 1.06 or later (currently at 1.08) Compress::Zlib 1.35 or later (currently at 2.003) Archive::Zip 1.14 or later (currently at 1.18) file(1) utility 4.06 or later (currently 4.19) MIME-Tools 5.420 ClamAV 0.88.7 or later lha 1.14i with security patch, see: http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D108422737918885 zoo 2.10pl1, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-0855 unzoo 4.4-4 nomarch 1.4 arc 5.21o unarj 2.65 arj 3.10.22 rar 3.6.0 unrar 2.65 lzop 1.02rc1 freeze 2.5 tnef 1.4.3 External decoders which are known to be old and can not be upgraded may be disabled, either by removing them from the path so that amavisd-new won't find them on startup, or by modifying array @decoders in amavisd.conf. When choosing operating system and a distribution for new installations, it is worthwhile to choose a distribution that is agile and responds quickly to new threats and to provide new versions of components on a reasonably timely basis. In a rapidly evolving field of computer security and spam protection, a passing year can be a long time! 7. Revision history 2006-12-08: posting to amavis-user mailinglist by Mark Martinec 2007-02-08: re-release as official AMaViS Security Announcement for web page -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.14 (GNU/Linux) iD8DBQFFy6AZmxoFTBO0QHkRAqpaAJoCbRfzuaAfjboIpajpx9K5QsiU+ACgkVVL Ss4QnkFzfpUdbb7Rpou1rV4= =CpiK -----END PGP SIGNATURE-----