From: Peter C. McCluskey (pcm@rahul.net)
Date: Thu Feb 27 2003 - 12:00:47 CST
Version 2.1.7 is now available on Sourceforge:
http://prdownloads.sourceforge.net/hypermail/hypermail-2.1.7.tar.gz
SUMMARY:
It should be understood that no known exploits exist at present for
the security issues listed below. This proactive review of the code
was taken to better secure hypermail. It is unclear whether any
exploits were possible on a typical installation.
Problems in utility programs other than the main Hypermail binary:
Temp file race conditions were potentially possible in msg2archive.c
and in mbox2hypermail.c (in the archive directory). They have been corrected.
popen was used in the mail utility and the archive/msg2archive utility.
msg2archive usage: The 'msg2archive' utility can be useful for archiving
mail into mailboxes as well as calling hypermail. In order to be
exploited, the administrator would have had to install it with special
privileges (such as setuid) which has never been needed or suggested.
The level of potential exposure is low. Nevertheless, the utility has
been modified to better protect against abuse.
Mail usage: The 'mail' utility was not installed by default and has not
been for the last two years. In any case, the hypermail development
team has determined that the 'mail' utility is a historic relic and
will not be supplied in future versions. Its functionality has been
replaced with a warning that anyone using it should remove it immediately.
Security-related changes to the main Hypermail program:
Fixed a possible buffer overflow with long filenames in uuencoded attachments.
This appears to have been a risk only on systems where MAXPATHLEN or PATH_MAX
was defined in system headers to be less than 1024.
Disabled conversion of file:// into href - it seemed to allow anyone
who could access the web server via localhost to read any file
that the web server had permission to read rather than just files
in the archive directory.
Fixed and replaced various non-bound-checking code parts to
avoid possible code execution or denial-of-service conditions.
Replaced sprintfs with snprintfs to do bounds checking in places where it
was hard to tell whether buffer overflows were possible.
Limited the length of "Subject" and alike to avoid denial of service attacks
while calling alloc.
Changes unrelated to security:
Fixed decoding of non-ascii headers.
Fixed append option (was discarding some lines).
Fixed random core dumps with files_by_thread option.
Fixed compile problems on SunOS and Alpha running TRU64.
See the Changelog for further details.
The Hypermail Development Team would like to greatly thank
Thomas Biege <thomas@suse.de> for assisting us with this
review.
-- ------------------------------------------------------------------------------ Peter McCluskey | http://www.rahul.net/pcm |