Headline
CVE-2020-3812: #961060 - qmail-verify: CVE-2020-3811 CVE-2020-3812
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker’s home directory, without dropping its privileges first.
Debian Bug report logs - #961060
qmail-verify: CVE-2020-3811 CVE-2020-3812
Reported by: Salvatore Bonaccorso [email protected]
Date: Tue, 19 May 2020 17:33:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions netqmail/1.06-6, netqmail/1.06-5, netqmail/1.06-6.1
Fixed in versions netqmail/1.06-6.2~deb10u1, netqmail/1.06-6.2, netqmail/1.06-6.2~deb9u1
Done: Salvatore Bonaccorso [email protected]
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to [email protected], [email protected], [email protected], Gerrit Pape [email protected]:
Bug#961060; Package src:netqmail. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso [email protected]:
New Bug report received and forwarded. Copy sent to [email protected], [email protected], Gerrit Pape [email protected]. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
Source: netqmail Version: 1.06-6.1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.06-6 Control: found -1 1.06-5
Hi
See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.
Regards, Salvatore
Marked as found in versions netqmail/1.06-6. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).
Marked as found in versions netqmail/1.06-5. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 19 May 2020 17:33:04 GMT) (full text, mbox, link).
Information forwarded to [email protected], Gerrit Pape [email protected]:
Bug#961060; Package src:netqmail. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso [email protected]:
Extra info received and forwarded to list. Copy sent to Gerrit Pape [email protected]. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).
Message #14 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
On Tue, May 19, 2020 at 07:30:53PM +0200, Salvatore Bonaccorso wrote:
Source: netqmail Version: 1.06-6.1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.06-6 Control: found -1 1.06-5
Hi
See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.
debdiff based on the above attached.
Salvatore
[netqmail_1.06-6.2.debdiff (text/plain, attachment)]
Added tag(s) patch. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Wed, 20 May 2020 21:27:05 GMT) (full text, mbox, link).
Information forwarded to [email protected], Gerrit Pape [email protected]:
Bug#961060; Package src:netqmail. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso [email protected]:
Extra info received and forwarded to list. Copy sent to Gerrit Pape [email protected]. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).
Message #21 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I’ve prepared an NMU for netqmail (versioned as 1.06-6.2). The diff is attached to this message. I did upload without delay as the version are all the same basically in stretch and buster, apart the two fixed bugs in 6.1 which would so help for the stretch and buster update.
We plan to release the DSA only in a few days after possibly someone using qmail could verify the correct functioning.
Regards, Salvatore
[netqmail-1.06-6.2-nmu.diff (text/x-diff, attachment)]
Reply sent to Salvatore Bonaccorso [email protected]:
You have taken responsibility. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso [email protected]:
Bug acknowledged by developer. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).
Message #26 received at [email protected] (full text, mbox, reply):
Source: netqmail Source-Version: 1.06-6.2 Done: Salvatore Bonaccorso [email protected]
We believe that the bug you reported is fixed in the latest version of netqmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Salvatore Bonaccorso [email protected] (supplier of updated netqmail package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Wed, 20 May 2020 22:23:21 +0200 Source: netqmail Architecture: source Version: 1.06-6.2 Distribution: unstable Urgency: high Maintainer: Gerrit Pape [email protected] Changed-By: Salvatore Bonaccorso [email protected] Closes: 961060 Changes: netqmail (1.06-6.2) unstable; urgency=high . * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and CVE-2020-3812 (Closes: #961060) Checksums-Sha1: 3e08b50a1403506eca9dead4f1e8fd3224802fe8 1867 netqmail_1.06-6.2.dsc b7eaa958f99d286a5fc756491b3087129d2d891f 34656 netqmail_1.06-6.2.diff.gz Checksums-Sha256: 86de716050bcc42abfe6a1d241c2776f20b1d92f1e43a609cd0edd919458d645 1867 netqmail_1.06-6.2.dsc 25e0f8ab45a18e5b6c01b56f487405902104ac0064886f586838551e7e48f86a 34656 netqmail_1.06-6.2.diff.gz Files: 05227f81638d5075901698abf568a222 1867 mail extra netqmail_1.06-6.2.dsc a0cae4ae44b43edb709ed2cd3df3ad5a 34656 mail extra netqmail_1.06-6.2.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GQtxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWTEP/2VBsN8rfzJImVBxJXANIqyAhHlp4tPe SgKTOIn5caen1gt51SpG4qYCuDFs967BQagepfVP/J8shwHTRv05SH5XyokFi/HZ EREbhssApf+tlB4Wpnw+/AovOz/Mn6DQIZtj/V8ofIrP7lG6gjXuPiXlFKtoqWIc 14IH4CYzcc6O1cpC3r/I5FlzfP1tyjimM2OfnDYBV57jUR77xctp2j0pYi4xYcPZ UOBbP0k0oemlS11ML4eA/uxQ55/Al+TNVASgNe/bhVX0f54/iUmQ8D+ZlngL29xO qwbJcDe45o25qQpl4SybHrqouseY7nFDUNj2+VgQK3A2lXdHnLirH+lSJTgP7EEV hAaeuBw0IB12t9wIz5BFFahTSILK8151LWA13B7Rik1WlSuB66yPgTymOKmLq5WZ n5fvpbyUuxtXU04t6wmROqkmaPgtCX9P0RoxQdwwzbtM5TydvuhMHpOHHsHnFxgv ck0hDaIf3FpC0pswImSb0pq0G/iDzN0uAzG7gywn8DUgRsK2hUyKCEy0DzobQz5E hhgPQZ0IV8UgaTq7GPxGCy7CXzTjK3G3fPqEOiwLYuJOnk6Lr2s12XJw3DEOXnUq si21AOAKxSGe515zVoxUO2mpt6llh8dLjlf2Ul1gL4ttJV9i/ZeoPUM+l2uCf5nQ zym8iwnTtHD2 =LRm4 -----END PGP SIGNATURE-----
Marked as fixed in versions netqmail/1.06-6.2~deb10u1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Sun, 24 May 2020 08:48:03 GMT) (full text, mbox, link).
Marked as fixed in versions netqmail/1.06-6.2~deb9u1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Sun, 24 May 2020 08:48:04 GMT) (full text, mbox, link).
Message sent on to Salvatore Bonaccorso [email protected]:
Bug#961060. (Sun, 24 May 2020 08:48:09 GMT) (full text, mbox, link).
Message #33 received at [email protected] (full text, mbox, reply):
close 672155 1.06-6.2~deb10u1 close 866038 1.06-6.2~deb10u1 close 961060 1.06-6.2~deb10u1 close 672155 1.06-6.2~deb9u1 close 866038 1.06-6.2~deb9u1 close 961060 1.06-6.2~deb9u1 thanks
Reply sent to Salvatore Bonaccorso [email protected]:
You have taken responsibility. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso [email protected]:
Bug acknowledged by developer. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).
Message #38 received at [email protected] (full text, mbox, reply):
Source: netqmail Source-Version: 1.06-6.2~deb10u1 Done: Salvatore Bonaccorso [email protected]
We believe that the bug you reported is fixed in the latest version of netqmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Salvatore Bonaccorso [email protected] (supplier of updated netqmail package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Thu, 21 May 2020 14:05:21 +0200 Source: netqmail Architecture: source Version: 1.06-6.2~deb10u1 Distribution: buster-security Urgency: high Maintainer: Gerrit Pape [email protected] Changed-By: Salvatore Bonaccorso [email protected] Closes: 672155 866038 961060 Changes: netqmail (1.06-6.2~deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for buster-security . netqmail (1.06-6.2) unstable; urgency=high . * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and CVE-2020-3812 (Closes: #961060) . netqmail (1.06-6.1) unstable; urgency=medium . * Non-maintainer upload. * [fdc8794a] Setup Gitlab continous integration * [73e52807] Fix quotation in postinst (Closes: #866038) * [2fc47776] Make package piupart-clean (Closes: #672155) Checksums-Sha1: d26aa649d5cd44a182927ac94d6f90e04d78e4e7 1899 netqmail_1.06-6.2~deb10u1.dsc 6237c96362007a2737350a9a7bd412ec8212c5a1 34713 netqmail_1.06-6.2~deb10u1.diff.gz Checksums-Sha256: 4e298fceb2c2fe50494e912ee2e3f960d6d08baf3d994def7626933d5762a583 1899 netqmail_1.06-6.2~deb10u1.dsc 5cf18ff53285a7ec4c65fbe7d7114ea67c737d91199be70f06c9ef5ef9e0380d 34713 netqmail_1.06-6.2~deb10u1.diff.gz Files: 55e7f1742a835efd83e96888ec47bddd 1899 mail extra netqmail_1.06-6.2~deb10u1.dsc 8549a72092ad90b944c7ab2ac4c9680c 34713 mail extra netqmail_1.06-6.2~deb10u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GcE5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0yIQAI4BuGS364JDXMQTMen7Gq16MBhWOL8u 9NOe0zwaZL9sP82GXmBTpJ1hCJSLfYAmkmb/tnCuCIJk/XTnujySbcBU4IK0A4HT BnviUcgUw/K3CFmTcN3V1FX8DgCpkknuKA1QhtTdqR3oEDA7vyWfLfwr336H28RN Hxx/jAvPrckSjWefd3XyGoyeo0/QZUHvidf6IbcqJeYe2md2935Nw/VuyznHoCkY IV/dfs3Z3C2yn/GgcWqxgjiAmRJSyVgj4DKJolcL9RF9F++se2ED6+O2MVJAu3/D RYUv5J7v4ilx95Ew/uZ4vDZbK8I/x0+guDcZcXofIDAsQqVm7n9YGY8ZC40yJyaP 4/nQFH8Y3EL5rZjMu5t5zFoHG5KYXkcfkLwBGTJf+5aiIT7AELEUhyDmL+j4etP4 OKmw1Ok1e3mqngDljIpFLi99hbnYN/GHpwMFAXnV9PUdo4bepF9FwtrZDBq7c4ne GVwcHLOVE4hjqBcOf6AfjBtuZCbMkcoKoBkQL+LakFDmJELBuOOFHNIE/5tcEPTR 3xmVRV4mfUN7aHga0pyTK5dEqzAck6dqWAFeIIeqF8jdwu0hwfKs0JZRlxFUztL8 lNQc4a2fyqtJA4Mn9+tn6/VUDb2MDyxKxAulF2AdDX9r+VPTyj6vxY0/89oY6mi+ tYiRGEbZD4d0 =zJYo -----END PGP SIGNATURE-----
Reply sent to Salvatore Bonaccorso [email protected]:
You have taken responsibility. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso [email protected]:
Bug acknowledged by developer. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).
Message #43 received at [email protected] (full text, mbox, reply):
Source: netqmail Source-Version: 1.06-6.2~deb9u1 Done: Salvatore Bonaccorso [email protected]
We believe that the bug you reported is fixed in the latest version of netqmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Salvatore Bonaccorso [email protected] (supplier of updated netqmail package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Thu, 21 May 2020 14:06:19 +0200 Source: netqmail Architecture: source Version: 1.06-6.2~deb9u1 Distribution: stretch-security Urgency: high Maintainer: Gerrit Pape [email protected] Changed-By: Salvatore Bonaccorso [email protected] Closes: 672155 866038 961060 Changes: netqmail (1.06-6.2~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security . netqmail (1.06-6.2) unstable; urgency=high . * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and CVE-2020-3812 (Closes: #961060) . netqmail (1.06-6.1) unstable; urgency=medium . * Non-maintainer upload. * [fdc8794a] Setup Gitlab continous integration * [73e52807] Fix quotation in postinst (Closes: #866038) * [2fc47776] Make package piupart-clean (Closes: #672155) Checksums-Sha1: a2637165d8e7eadf4c525eb0153c3abc31ad6e15 1895 netqmail_1.06-6.2~deb9u1.dsc 9ee9a603e2ad3d8e1d34b900e19b7a5d275f538b 260941 netqmail_1.06.orig.tar.gz 3e3086e0d3012b95431a96bc19a5411b8ad3f2e6 35126 netqmail_1.06-6.2~deb9u1.diff.gz Checksums-Sha256: 774836d82b32583d3bf829c9c12db14f291d9a1c13d57bdacc38bbe184ee7de5 1895 netqmail_1.06-6.2~deb9u1.dsc 8e7d98d15211fc9f9c28109e942e2268f42a6672d68df92a42f2afa90ff00532 260941 netqmail_1.06.orig.tar.gz 37831df91026d8f194c70ca2207d892d61d467f6b5e38507e506e196c7f24ade 35126 netqmail_1.06-6.2~deb9u1.diff.gz Files: ee927db48ce7cf81a121e3955aab2f8f 1895 mail extra netqmail_1.06-6.2~deb9u1.dsc c922f776140b2c83043a6195901c67d3 260941 mail extra netqmail_1.06.orig.tar.gz 3e1d515c383572022c645d85659a5eb5 35126 mail extra netqmail_1.06-6.2~deb9u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7Gb5VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOOAP/jypWC9W4nOWTbSTei7R08RInoHHMlYc XxzKZk5IfSvOGm8u5PaLk4OgH/R7dvLgwaHg8NpfnazOUWfU2uBkY0A8kzctrCom oSVQzg/i/HroG5+rAl8/cccOWyeml0GdYTpNCZpW8fE482xyNsJ3hu5acgfWAklJ MKeb99qGNUKUAzCXH29jUvn8ygPfJiujxdgK6ffhW9DlHBGiaZjl2b88brU+dBxL jiVbTCvHV1/bi4k5/FfVqu21m5mR5/eU6lZZg23WFBSN8Y+uDgn4Kh9KEJjlbzs/ lpDjG21PrZTVGxEehcl+DPXlQkdWSPrsFiPGF6b4V2yoU4flcJzwsm9TpQdVSrxm 0oNQS1c7ZnYq3pV6QdzrULT2OSPzhhkGCty4a0hjGaoqACVPnyQgeM3qwroj2xo9 lkAVhevqxcE6TUQ8rxvFibXyoImeDnLn3mxDWq9Sw2uB9cvvWqOCDYBOuqrOPfJq xSG1SC6A+uoJ18Gp5sDpXnoE+/qBoD1M7FUhdM6Mv7r6H9WHDsz4c1/MzGydl3t7 mJucFSLeHYi2YJeGugxkN113NjS2LUsXAXiD+4M0qa+Nwms1QCJ2UCxYEuugkGeg ZNwAbCViv+TkPO/bKzkMleSpDsOb7sZJi6Vl4z7CXh8a3rJ1J4OW6dWIBOlytFyi cOicAFyO1HfV =uoLR -----END PGP SIGNATURE-----
Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Sun, 02 Aug 2020 07:29:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Thu Apr 28 19:36:30 2022; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.