You can subscribe to this list here.
2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
(1) |
Sep
|
Oct
(2) |
Nov
(9) |
Dec
(3) |
---|
From: Rainer L. <li...@su...> - 2000-12-11 21:04:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 12/11/2000 affected version(s): AMaViS-Perl below AMaViS-Perl-10 Vulnerability Type: script viruses (i.e. vbs worms) may not be detected Priority: urgent Solution: upgrade to AMaViS-Perl-10 Author: Lars Hecking <lhe...@nm...> Rainer Link <li...@su...> Advisory ID: ASA-2000-5 - --------------------------------------------------------------------------- 1. Problem description AMaViS-Perl uses a Perl module to decode (uudecode/xxdecode or binhex) every file which is recognised by file(1) as ASCII, text, uuencode, xxencode or binhex. If a (ASCII, text) file is _not_ encoded, the resulting file is zero bytes long and the original file will be deleted as usual as AMaViS-Perl fails to detect this error case. Therefore the virus itself will be deleted. 2. Impact Obvious. This bug can let script viruses go undetected. 3. Solution Upgrade to AMaViS-Perl-10. 4. Acknowledgement This bug was discovered accidentally by Lars Hecking. 5. References https://sourceforge.net/projects/amavis/ http://www.amavis.org/ 6. Revision History 12/11/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE6NTs/mxoFTBO0QHkRAqRpAJ9MlL/MYBXBoHQ7zMgGc57BVTNdGQCgoKed EuhcY4RJI8U7AEG9IXem77k= =UWlO -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Lars H. <lhe...@us...> - 2000-12-05 13:29:32
|
Piotr Kasztelowicz writes: [...] > checking if tar removes leading / from archive... no > configure: error: your 'tar' does NOT remove leading / from pathnames! > > I use Solaris 2.6. > > Please answer on priva and help if possible This is not a bug in amavis! Solaris tar doesn't remove leading slashes from pathnames. Imagine someone emailed you an archive of /etc with all files truncated to zero, you run scanmails as root, and Solaris tar unpacks a bunch of empty files into /etc. Bummer. You're better off installing GNU tar. No matter whether it's in $PATH before or after /bin/tar, configure will use it if installed as gtar. |
From: Piotr K. <pe...@lo...> - 2000-12-04 22:45:38
|
Hello Please help me with configure. After command: ./configure --enable-qmail such error has been reported checking *** Kaspersky Lab AVPDaemon *** checking for AvpDaemon... no configure: warning: ************************************************************ configure: warning: *** Kaspersky Lab AVPDaemon NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** Kaspersky AVPDaemonClient *** checking for AvpDaemonClient... no configure: warning: ************************************************************ configure: warning: *** Kaspersky Lab AVPDaemonClient NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** Kaspersky AVPDaemonClient *** checking for AvpDaemonTst... no configure: warning: ************************************************************ configure: warning: *** Kaspersky Lab AVPDaemonTst NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** DataFellows F-Secure AntiVirus *** checking for fsav... no configure: warning: ************************************************************ configure: warning: *** DataFellows F-Secure AntiVirus NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** Trend Micro FileScanner *** checking for vscan... no configure: warning: ************************************************************ configure: warning: *** Trend Micro FileScanner NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** CyberSoft vfind *** checking for vfind... no configure: warning: ************************************************************ configure: warning: *** CyberSoft vfind NOT found *** configure: warning: *** but that's ok *** configure: warning: ************************************************************ checking *** CAI InoculateIT Inocucmd command line utility 4.0 *** checking for inocucmd... /usr/local/inoculateit/inocucmd checking if any virusscanners have been installed at all... yes checking if tar removes leading / from archive... no configure: error: your 'tar' does NOT remove leading / from pathnames! I use Solaris 2.6. Please answer on priva and help if possible -- Piotr Kasztelowicz <Pio...@lo...> [http://www.am.torun.pl/~pekasz] |
From: Rainer L. <li...@su...> - 2000-11-17 19:14:07
|
On Thu, 16 Nov 2000, Viraj Alankar wrote: > BTW, regarding the other ownership problem I had, I tried on a different > RH 6.2 box with Sendmail/Procmail and noticed the same UID problem. The > extracted files are owned by root, and I have to change the permissions to > 755. Also when viruses are found they are always copied to > /var/virusmails/root instead of the username. Any ideas? Hmm, seems to be a "problem" with RH 6.2 :) scanmails seems to be run as root. Well, can you show me your Mlocal entry in sendmail.cf ? best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2000-11-17 17:59:21
|
On Thu, 16 Nov 2000, Viraj Alankar wrote: > BTW, regarding the other ownership problem I had, I tried on a different > RH 6.2 box with Sendmail/Procmail and noticed the same UID problem. The > extracted files are owned by root, and I have to change the permissions to > 755. Also when viruses are found they are always copied to > /var/virusmails/root instead of the username. Any ideas? Seems scanmails is not run under the local user id, but always under uid root. Depends on you sendmail.cf, i.e. RunAs, DefaulUser and Mlocal (esp. the F= stuff) settings. best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Viraj A. <val...@if...> - 2000-11-17 15:00:56
|
On Thu, 16 Nov 2000, Rainer Link wrote: > On Thu, 16 Nov 2000, Viraj Alankar wrote: > > > Looking at the man page for McAfee v4.1.0 for Linux, the return values > > seem to have changed. Currently Amavis v0.2.1 assumes the following return > > values are valid and anything else to be an internal error: > > > > 0 > > 10 > > 13 > > Correct, yes. > > > But from uvscan man page there is also: > > > > 12 The scanner tried to clean a file, > > and that clean failed for some reason > > and the file is still infected. > > Hmm, did you get this return value in some cases? uvscan should not try to > clean (automatically) an infected file. The man page says the -c / --clean > is by default off. So uvscan should never return this value when used with > AMaViS. No I never got the return value. I see now that it should never return this value, my mistake. BTW, regarding the other ownership problem I had, I tried on a different RH 6.2 box with Sendmail/Procmail and noticed the same UID problem. The extracted files are owned by root, and I have to change the permissions to 755. Also when viruses are found they are always copied to /var/virusmails/root instead of the username. Any ideas? Thanks, Viraj. |
From: Rainer L. <li...@su...> - 2000-11-16 20:33:21
|
On Thu, 16 Nov 2000, Viraj Alankar wrote: > Looking at the man page for McAfee v4.1.0 for Linux, the return values > seem to have changed. Currently Amavis v0.2.1 assumes the following return > values are valid and anything else to be an internal error: > > 0 > 10 > 13 Correct, yes. > But from uvscan man page there is also: > > 12 The scanner tried to clean a file, > and that clean failed for some reason > and the file is still infected. Hmm, did you get this return value in some cases? uvscan should not try to clean (automatically) an infected file. The man page says the -c / --clean is by default off. So uvscan should never return this value when used with AMaViS. Btw, you're correct. The man page does not show return code 10 any more. best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Viraj A. <val...@if...> - 2000-11-16 19:56:25
|
Looking at the man page for McAfee v4.1.0 for Linux, the return values seem to have changed. Currently Amavis v0.2.1 assumes the following return values are valid and anything else to be an internal error: 0 10 13 But from uvscan man page there is also: 12 The scanner tried to clean a file, and that clean failed for some reason and the file is still infected. Since this would be an internal error, mail would still be sent. I think we would want to block these messages. Also return code 10 is no longer in the manual. I've made the following changes to scanmails in our setup around line 968: scanstatus5=$? if ${test} ${scanstatus5} -ne 0 -a ${scanstatus5} -ne 10 -a ${scanstatus5} -ne 13 -a ${scanstatus5} -ne 12 then internal_error=1 fi And also added the following around line 1215: ... -o ${scanstatus5} -eq 12 \ ... I hope that's all that was needed. Let me know if I'm interpreting this incorrectly. BTW, thanks for such a great (and simple) program. It has already saved us from many headaches. I want to also note that I have evaluated other commercial Email gateway solutions for Linux (who shall remain nameless), many of which would simply crash when receiving certain attachments. Waiting for support on this software is ridiculous. At least with open software I can try fixing the problems myself. Thanks again. Viraj. |
From: Viraj A. <val...@if...> - 2000-11-15 14:44:20
|
I noticed a strange thing with McAfee uvscan on Linux v4.10.0 By default it seems to be scanning the boot records of all drives, contrary to what it says in the manual as this option defaulting to off. When executing uvscan with all of the options that Amavis v0.2.1 is sending, I was getting some cdrom seek errors in my messages file (don't ask me why it's trying to scan a CDROM!): Nov 15 09:23:28 mail kernel: hdc: packet command error: status=0x51 { DriveReady SeekComplete Error } Nov 15 09:23:28 mail kernel: hdc: packet command error: error=0x54 Nov 15 09:23:29 mail kernel: ATAPI device hdc: Nov 15 09:23:29 mail kernel: Error: Illegal request -- (Sense key=0x05) Nov 15 09:23:29 mail kernel: Invalid field in command packet -- (asc=0x24, ascq=0x00) Nov 15 09:23:29 mail kernel: The failed "Start/Stop Unit" packet command was: Nov 15 09:23:29 mail kernel: "1b 00 00 00 03 00 00 00 00 00 00 00 " Nov 15 09:23:29 mail kernel: cdrom: open failed. By adding the --noboot option to uvscan, it stopped doing this. I changed the corresponding line in scanmails to: uvscan4_cmdl="--secure -rv --summary --noboot" And everything seems ok now. Viraj. |
From: Viraj A. <val...@if...> - 2000-11-13 03:59:33
|
Hello, I'm using amavis-0.2.1 with McAfee 4.07 on Redhat 6.1. When attachments are extracted they always are owned by root. The 'chmod 700' in scanmails causes uvscan to fail scanning (it says it cannot see the directory). The userid of the scanmail process is the user who the mail is being delivered to, however the euid is root. When I change the 'chmod 700' to 'chmod 755' it works. Any help appreciated. Viraj. |
From: Juergen Q. <qu...@fh...> - 2000-11-11 08:45:16
|
> Hello! > > We have a problem with zipsecure, which is used by AMaVis V2.1. We have > a self extracting archive - bob.exe. This archive contains the library > "zlib.dll". If zipsecure comes to this file, it is getting into an > endless loop while using a lot of CPU-time doing not much. > > If i compile zipsecure in debug-mode i get the following output: > ># zipsecure < zlib.dll > /dev/null > >Little Endian > >Magic at offset 0x820e - > >CentralDir: Offset=1944605008 (73e85150) - 1944605008 (73e85150) > >changing "üÿÿf?ÀtfËÿ<E" to "y26335.0" > >> here i have to break the execution.... > > It seems that the program tries to rename a non existing file. I have > made the following change in the function "LoadCentralDirEntry" as a > quick workaround for our company: > ># diff zipsecure.c.BAK zipsecure.c > >281c281 > >< for( ToCopy=SWAPSHORT(Header->ExtraFieldLength); ToCopy; ToCopy-=i ) { > >--- > >> for( ToCopy=SWAPSHORT(Header->ExtraFieldLength); ToCopy && ! feof(fpin); ToCopy-=i ) { > > Can someone bring this workaround into a well working patch for > zipsecure V1.5? The problem will be fixed in the outcoming V2.0. Thanks a lot!!! Juergen Quade. > > Thanx > > Alex Spannagel > > -- > * Alexander Spannagel * Networkadministrator * > mailto:spa...@jo... * > * Jobs & Adverts AG * www.jobpilot.de * www.jobpilot.com * > * Europe's career market on the Internet * > * Siemensstrasse 15-17 * D-61352 Bad Homburg * Germany > * fon: + 49.6172.919-401 * fax: + 49.6172.919-540 > * Frankfurt * Zuerich * Wien * Paris * Goeteborg > * Warschau * Barcelona * Prag * Mailand * London > * Oslo * Amsterdam * Bruessel * Budapest * Kopenhagen > * Bangkok * Singapur * Kuala Lumpur |
From: Alexander S. <spa...@jo...> - 2000-11-08 19:19:44
|
Hello! We have a problem with zipsecure, which is used by AMaVis V2.1. We have a self extracting archive - bob.exe. This archive contains the library "zlib.dll". If zipsecure comes to this file, it is getting into an endless loop while using a lot of CPU-time doing not much. If i compile zipsecure in debug-mode i get the following output: ># zipsecure < zlib.dll > /dev/null >Little Endian >Magic at offset 0x820e - >CentralDir: Offset=1944605008 (73e85150) - 1944605008 (73e85150) >changing "üÿÿf?ÀtfËÿ<E" to "y26335.0" >> here i have to break the execution.... It seems that the program tries to rename a non existing file. I have made the following change in the function "LoadCentralDirEntry" as a quick workaround for our company: ># diff zipsecure.c.BAK zipsecure.c >281c281 >< for( ToCopy=SWAPSHORT(Header->ExtraFieldLength); ToCopy; ToCopy-=i ) { >--- >> for( ToCopy=SWAPSHORT(Header->ExtraFieldLength); ToCopy && ! feof(fpin); ToCopy-=i ) { Can someone bring this workaround into a well working patch for zipsecure V1.5? Thanx Alex Spannagel -- * Alexander Spannagel * Networkadministrator * mailto:spa...@jo... * * Jobs & Adverts AG * www.jobpilot.de * www.jobpilot.com * * Europe's career market on the Internet * * Siemensstrasse 15-17 * D-61352 Bad Homburg * Germany * fon: + 49.6172.919-401 * fax: + 49.6172.919-540 * Frankfurt * Zuerich * Wien * Paris * Goeteborg * Warschau * Barcelona * Prag * Mailand * London * Oslo * Amsterdam * Bruessel * Budapest * Kopenhagen * Bangkok * Singapur * Kuala Lumpur |
From: Peter H. <hue...@si...> - 2000-10-02 12:28:33
|
I have been using AMaViS for a week or so now, and a number of problems have cropped up. One is taht the smartlist mailinglist programm can't deliver mails any longer, I had to make the spool directories world writable to allow the mailing list program to deliver mails. Before that the spool directories belonged to root:root and it worked fine. Any idea what I may have wrong for that to appear? The other problem is the following and I remember reading something about it, but can't find it any more. I get the following message back from the mailer: ----- Transcript of session follows ----- 554 b.mair@ok-centrum... Cannot send 8-bit data to 7-bit destination 501 b.mair@ok-centrum... Data format error --SAA08601.969986446/eddie.ok-centrum.at Content-Type: message/delivery-status Any idea what I need to change for that. This is rather urgent. The mhonarc program worked fine too, but now I had to change the permissions for the webdirectory as not the user is the one who starts the programs but "daemon" seems to do it all now. Only when I give daemon the write to write in the directory does mhonarc deliver the works. I have noticed that ever since I use AMaViS mail does not seem to be delivered by the person who sends it, but by the daemon. Is that the way it is supposed to be? I seemt o have broken rather a lot after installing amavis and it is rather a pain. Please help, if you can! .peter |
From: Rainer L. <li...@su...> - 2000-10-01 15:55:46
|
Hi! The following two patches should fix the two issues * tnef 0.13 changed the help page, so the detection if the installed tnef is the one von Mark Simpsons fails. * tnef files are not handled at all. Copy configure.in.patch in the root directory of the AMaViS 0.2.1-pre3 source directory and scanmails.in.patch into src/scanmails/. Don't forget to call ./reconf from the root directory of the source tree for re-creating configure. If configure and/or make does not work correctly afterwards, please read BUGS. best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder Linux AntiVirus Project (lavp.sourceforge.net) |
From: Lars H. <lhe...@nm...> - 2000-08-02 18:33:44
|
=========================================================================== AMaViS Security Announcement Date: 08/02/2000 affected version(s): all releases of AMaViS including amavis-perl Vulnerability Type: amavis can lose parts of email messages Priority: urgent Solution: apply patch Author: Lars Hecking <lhe...@nm...> Advisory ID: ASA-2000-4 --------------------------------------------------------------------------- 1. Problem description In some configurations, e.g. relay type setups, scanmails/amavis is using sendmail or other MTA's sendmail wrappers to reinject scanned emails back into the mail system. If an email message contains a single dot on a line by itself, the sendmail program/wrapper will truncate that message at the dot, as amavis/scanmails fails to call sendmail with the "IgnoreDots" cmd line option (-i). 2. Impact Obvious. All parts of an email message after and including a solitary dot are lost. This problem affects all setups where mail leaves amavis through sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix setups as described in amavis-perl's README.postfix are affected. 3. Solution 3.1 amavis-perl Locate the following code in the amavis-perl script if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); } else { @LDAARGS = (); } and change it to if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); unshift(@LDAARGS, "-oi "); } else { @LDAARGS = (); } 3.2 All non-perl versions of amavis Apply the attached patch to the scanmails script. It should apply ok with more or less fuzz. 4. Acknowledgement I discovered this by accident after receiving a mail message on the postfix-users mailing list which quoted more parts of another message than I remembered getting. Rainer Link provided the patch for scanmails. 5. References https://sourceforge.net/projects/amavis/ 6. Revision History 08/02/2000: initial release =========================================================================== |
From: Rainer L. <li...@su...> - 2000-07-29 17:45:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 07/29/2000 affected version(s): AMaViS 0.2.1-pre1 if metamail is used Vulnerability Type: AMaViS is configured with the wrong switches for metamil / no mail splitting no virus detection possible Priority: urgent Solution: checkout latest sources from CVS or download at least configure.in from cvsweb.amavis.org Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-3 - --------------------------------------------------------------------------- 1. Problem description AMaViS 0.2.1-pre1 uses either metamail or reformime to split an eMail message in its parts, which will be saved in /var/tmp/scanmails<pid>/unpacked Due to a stupid bug AMaViS will use the run-time switches for reformime although metamail is used. Here is a short explanation why this happens: ./configure will detect metamail, create config.cache and create src/scanmails/scanmails correctly, this means metamail is used and the correct run-time flags for metamail, too. make calls ./configure --recheck, configure uses for speed reasons the cached variables, but the check if metamail or reformime is used fails now. Therefore src/scanmails/scanmails is created for use with metamail *but* with the run-time flags for reformime. 2. Impact As AMaViS (scanmails) uses the wrong run-time parameters, a mail is not splitted and /var/tmp/scanmails<pid>/unpacked is *always* empty. Therefore no virus will be detected at all. 3. Solution Either checkout the latest sources from our CVS server at http://sourceforge.net/projects/amavis/ or download at least configure.in from http://cvsweb.amavis.org/. The direct link is http://cvs.sourceforge.net/cgi-bin/cvsweb.cgi/~checkout~ /amavis/configure.in?rev=1.9&content-type=text/plain&cvsroot=amavis If you download only configure.in, please do a ./reconf (it may give you three warnings, but they can be ignored). Remove config.cache, if this file does exits. Then re-run ./configure with the configure options you need and do a make && make install. NOTE: After every update of either AMaViS or used virus scanner(s), please test if everything works correctly be sending a mail with the EICAR testfile virus, which can be found at http://www.eicar.com/anti_virus_test_file.htm 4. Acknowledgment I would like to thank Tilo Lutz who first reported to us that no virus was discovered when metamail is used. As this was my bug, I apologize for any inconveniences. 5. References 6. Revision History 07/29/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gxczmxoFTBO0QHkRAix/AJ9zkZtogMbgXrQfOHGj9MF/Ug4rhwCfa+cU ZsYjC4CCJuyuwnjLkvPFLR8= =8ZNt -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Rainer L. <li...@su...> - 2000-07-27 15:31:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 07/27/2000 affected version(s): AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 and later if reformime below 1.01 is used (AMaViS-Perl is NOT affected) Vulnerability Type: attacker could pass virus through AMaViS / Denial-of-Service attack against AMaViS Priority: urgent Solution: apply patch / update reformime Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-2 - --------------------------------------------------------------------------- 1. Problem description AMaViS uses reformime, part of the maildrop package, to split eMail messages in its parts. reformime version below 1.0 (tested with 0.76b) overwrite files with the same file names. reformime version 1.0 tries to avoid overwritting files but a bug causes an endless loop. 2. Impact reformime below 1.0: an attacker can create an eMail message with two attachments with the same file name. The first file contains a virus, the second one is clean. reformime overwrites the first one with the second. Therefore no virus is detected and the mail will be delivered to user(s). reformime 1.0 tries to avoid clobbering of existing files but due to a bug it will end up in an endless loop. This could be used as a denial-of-service attack against AMaViS. 3. Solution Apply the provided patch for reformime 1.0. Or update to maildrop 1.01, which will be released soon according to the author. Or if possible use AMaViS-Perl instead, which uses a Perl module for MIME handling. 4. Acknowledgment This bug was discovered by Rainer Link. We would like to thank Sam Varshavchik, the author of maildrop, for providing a patch quickly. 5. References reformime, part of the maildrop package, can be found at http://www.flounder.net/~mrsam/maildrop/ 6. Revision History 07/27/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gFSamxoFTBO0QHkRAgLyAKC1i59LIB07e5V9r+wIg9kR3Dp6aQCfR3Nb p8/9+2qTYbOksmM+9uGIeuM= =bpQK -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Rainer L. <li...@su...> - 2000-07-27 15:28:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================================== AMaViS Security Announcement Date: 07/27/2000 affected version(s): all AMaViS releases using metamail, in detail all release versions up to 0.2.0-pre6 all release versions 0.2.0-pre6-clm up to 0.2.0-pre6-clm-rl-8 all CVS version before 0.2.0-pre6-clm-rl-8-04-07-2000 (AMaViS-Perl is NOT affected) Vulnerability Type: some eMail worms (i.e. KAKworm) may not be detected Priority: urgent Solution: update to latest CVS version, install reformime Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-1 - --------------------------------------------------------------------------- 1. Problem description AMaViS uses metamail do split a eMail message in its parts, i.e. the mail body and the attachment file(s). The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked by default. As metamail is very old and as it seems not maintained anymore, it is not able to handle MIME multipart/alternative messages. Such a message contains a plain ASCII text body part and a HTML body part, which is created e.g. by Netscape Messanger if "Message Formatting" is set to "Send the message in plain text and HTML". Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known virus/worm will be detected. 2. Impact It is possible that a known virus/worm is not detected and an infected eMail is delivered to the user. We got reports that this has happend with the KAKworm. 3. Solution Since AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 it is possible to use reformime as a replacement for metamail. reformime comes within the maildrop package. ./configure looks first for reformime, therefore if it's installed, AMaViS will use it. Or if pssible use AMaViS-Perl instead, which uses a Perl module for MIME handling. 4. Acknowledgment I would like to thank Craig Baird who first reported this problem to me and helped to track it down. 5. References metamail can be found at ftp://thumper.bellcore.com/pub/nsb/ reformime, part of the maildrop package, can be found at http://www.flounder.net/~mrsam/maildrop/ To checkout the latest CVS version of AMaViS please visit http://sourceforge.net/projects/amavis 6. Revision History 07/27/2000: initial release ============================================================================ - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gFSNmxoFTBO0QHkRAs09AKCQSuoyNUI7ysM0FgpYQX2bCptQJACgs/CW VBx1/pSZY0+ITGUDnmJ0p1A= =0wBK -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |