ports/117796: [security update] mail/perdition to 1.17.1

Thomas Vogt thomas at bsdunix.ch
Sat Nov 3 21:20:02 UTC 2007 

>Number:         117796
>Category:       ports
>Synopsis:       [security update] mail/perdition to 1.17.1
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 03 21:20:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Vogt
>Release:        FreeBSD 7.0-BETA1 i386
>Organization:
>Environment:
System: FreeBSD bert.mlan.solnet.ch 7.0-BETA1 FreeBSD 7.0-BETA1 #8: Sat Oct 20 00:36:10 CEST 2007 root at bert.mlan.solnet.ch:/usr/obj/usr/src/sys/BERT i386


	
>Description:
Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.

Vulnerable versions: Perdition <= 1.17

>How-To-Repeat:
Example: perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143 
if you got NO error message you are vulnerable.

More information: http://www.sec-consult.com/300.html

>Fix:
Update to 1.17.1

diff -ruN  perdition.orig/Makefile perdition/Makefile
--- perdition.orig/Makefile	2007-08-10 15:49:44.000000000 +0200
+++ perdition/Makefile	2007-11-02 23:11:43.000000000 +0100
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	perdition
-PORTVERSION=	1.17
+PORTVERSION=	1.17.1
 CATEGORIES=	mail net security
 MASTER_SITES=	http://www.vergenet.net/linux/perdition/download/${PORTVERSION}/
 
@@ -31,7 +31,7 @@
 MAKE_ENV+=	DOCSDIR=${DOCSDIR}
 CONFIGURE_ARGS+=	--disable-daemon-map
 
-INSTALLS_SHLIB=	yes
+USE_LDCONFIG=	yes
 
 ##
 ## Available knobs:
@@ -122,7 +122,9 @@
 
 .if defined(WITH_OPENLDAP)
 USE_OPENLDAP=		YES
-CONFIGURE_ARGS+=	--enable-ldap --with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/
+CONFIGURE_ARGS+=	--enable-ldap \
+			--with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/ \
+			--disable-ldap-doc
 PLIST_SUB+=		OPENLDAP=""
 MAN8+=			perditiondb_ldap_makedb.8
 .else

diff -ruN perdition.orig/distinfo perdition/distinfo
--- perdition.orig/distinfo	2005-12-19 11:06:19.000000000 +0100
+++ perdition/distinfo	2007-11-02 15:36:44.000000000 +0100
@@ -1,3 +1,3 @@
-MD5 (perdition-1.17.tar.gz) = 6cef90e55bde9eb2d0a17acccb3516f3
-SHA256 (perdition-1.17.tar.gz) = 38f1bfe1cb7db8b16fc6a3febc293460b6a5ae49312c6a08b757c89b1ae73879
-SIZE (perdition-1.17.tar.gz) = 552149
+MD5 (perdition-1.17.1.tar.gz) = 5464c517f8be810519b6187b694c9d98
+SHA256 (perdition-1.17.1.tar.gz) = e2abd57aa76b106591056ef835e26816c71c3b39dc55bc3aeba6dfeefac7af26
+SIZE (perdition-1.17.1.tar.gz) = 638162


diff -ruN perdition.orig/pkg-plist  perdition/pkg-plist
--- perdition.orig/pkg-plist	2004-06-02 10:11:06.000000000 +0200
+++ perdition/pkg-plist	2007-11-02 23:16:43.000000000 +0100
@@ -9,6 +9,7 @@
 etc/perdition/popmap-dist
 etc/perdition/Makefile.popmap-dist
 etc/perdition/Makefile
+etc/pam.d/perdition
 include/jain.h
 lib/libjain.so.0
 lib/libjain.so

This files are diffs are from the perdition src code and should go to ports/mail/perdition/files. This are NOT diffs agains old perdition/files/*


--- etc/Makefile.in.orig	2007-11-02 15:37:51.000000000 +0100
+++ etc/Makefile.in	2007-11-02 15:38:45.000000000 +0100
@@ -78,7 +78,7 @@
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = perdition pam.d rc.d sysconfig
+DIST_SUBDIRS = perdition
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@



--- etc/perdition/Makefile.in.orig	2007-11-02 15:40:32.000000000 +0100
+++ etc/perdition/Makefile.in	2007-11-02 15:45:43.000000000 +0100
@@ -259,16 +259,16 @@
 	@list='$(perditionconf_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  f=$(am__strip_dir) \
-	  echo " $(perditionconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(perditionconfdir)/$$f'"; \
-	  $(perditionconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(perditionconfdir)/$$f"; \
+	  echo " $(perditionconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(perditionconfdir)/$$f-dist'"; \
+	  $(perditionconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(perditionconfdir)/$$f-dist"; \
 	done
 
 uninstall-perditionconfDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(perditionconf_DATA)'; for p in $$list; do \
 	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(perditionconfdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(perditionconfdir)/$$f"; \
+	  echo " rm -f '$(DESTDIR)$(perditionconfdir)/$$f-dist'"; \
+	  rm -f "$(DESTDIR)$(perditionconfdir)/$$f-dist"; \
 	done
 tags: TAGS
 TAGS:



--- makebdb/Makefile.in.orig	2007-11-02 15:47:34.000000000 +0100
+++ makebdb/Makefile.in	2007-11-02 15:48:33.000000000 +0100
@@ -231,7 +231,7 @@
         options.c \
         options.h
 
-makebdb_LDADD = -L../libjain -L../libjain/.libs/ -ljain -ldb -lpopt \
+makebdb_LDADD = -L../libjain -L../libjain/.libs/ -ljain -ldb3 -lpopt \
 @dmalloc_lib@
 
 INCLUDES = -I$(top_srcdir)/libjain



--- perdition/Makefile.in.orig	Tue Dec  6 16:08:58 2005
+++ perdition/Makefile.in	Tue Dec  6 16:09:36 2005
@@ -560,8 +560,6 @@
 	for i in pop3 pop3s imap4 imap4s imaps; do \
 		(cd $(DESTDIR)$(sbindir) && rm -f perdition.$$i && \
 			ln -sf perdition perdition.$$i); \
-		(cd $(DESTDIR)$(mandir)/man8 && rm -f perdition.$$i && \
-			ln -sf perdition.8 perdition.$$i.8); \
 	done
 
 uninstall-local:




--- perdition/db/bdb/Makefile.in.orig	2007-11-02 15:49:39.000000000 +0100
+++ perdition/db/bdb/Makefile.in	2007-11-02 15:50:20.000000000 +0100
@@ -235,7 +235,7 @@
   perditiondb_bdb.h
 
 libperditiondb_bdb_la_LDFLAGS = -version-info 0:0:0
-libperditiondb_bdb_la_LIBADD = -ldb
+libperditiondb_bdb_la_LIBADD = -ldb3
 INCLUDES = \
   -I$(top_srcdir)/ \
   -I$(top_srcdir)/perdition \



--- perdition/db/posix_regex/Makefile.in.orig	2007-11-02 15:53:56.000000000 +0100
+++ perdition/db/posix_regex/Makefile.in	2007-11-02 15:55:31.000000000 +0100
@@ -355,16 +355,16 @@
 	@list='$(conf_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  f=$(am__strip_dir) \
-	  echo " $(confDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(confdir)/$$f'"; \
-	  $(confDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(confdir)/$$f"; \
+	  echo " $(confDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(confdir)/$$f-dist'"; \
+	  $(confDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(confdir)/$$f-dist"; \
 	done
 
 uninstall-confDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(conf_DATA)'; for p in $$list; do \
 	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(confdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(confdir)/$$f"; \
+	  echo " rm -f '$(DESTDIR)$(confdir)/$$f-dist'"; \
+	  rm -f "$(DESTDIR)$(confdir)/$$f-dist"; \
 	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)



Please delete this patches in /files:
patch-perdition::db::daemon::Makefile.in (not necessary anymore)
patch-perdition::Makefile.in (replaced by new patch-perdition-Makefile.in)
patch-perdition-db-ldap-perditiondb_ldap (not necessary anymore)
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list