qmail vulnerabilities - Changes to libqmail, indimail-mta, indimail code

5 views

Skip to first unread message

Manvendra Bhangui

unread,

May 19, 2020, 10:29:09 PM5/19/20

to indimail

There's a security advisory just been released for qmail and qmail-verify. Although the main qmail exploit looks non-trivial, it's still of concern. The qmail-verify exploit doesn't apply to indimail, indimail-mta.

The good news is that the main exploit is mitigated wich changes to gen_alloc.h, gen_allocdefs.h, alloc.c in libqmail. They have been modified to fix the vulnerability.

Also the qmail-local exploit exploit is mitigated by the databytes limit feature in spawn-filter, which limits the size of mail delivery in qmail-local and qmail-remote. However, qmail-local has been modified to fix the possible vulnerability.

Here is the link to the advisory

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

To fix possible integer overflow and integer signedness error, changes have been made

libqmail

gen_alloc.h, gen_allocdefs.h, alloc.h, constmap.c, env.c, stralloc_catb.c, stralloc_opyb.c, stralloc_arts.c, substdo.c, substdio.c, stralloc_pend.c,

libqmail (https://github.com/mbhangui/libqmail-0.1),

indimail-mta

ofmipd.c, qmail-local.c, qmail-send.c, sendmail.c, qsmhook.c, quote.c, commands.c, qmail.c

indimail-mta (https://github.com/mbhangui/indimail-mta)

indimail - Recompilation for change in the header files gen_alloc.h, gen_allocdefs.h

indimail (https://github.com/mbhangui/indimail-virtualdomains)

The binaries and the docker images will be compiled and updated soon

--
Regards Manvendra - http://www.indimail.org
GPG Pub Key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C

Reply all

Reply to author

Forward

0 new messages