[CVE-2008-3962] allow remote attackers to obtain sensitive information

Hi Stefan,

Please could you edit the changelog entry to be more like the
template described in

  https://wiki.ubuntu.com/SecurityUpdateProcedures

could you also check for other guidelines in there you should
follow considering this is a development release.

Are other releases vulnerable?

Thanks,

James

Updated for intrepid. If it's okay I'll start if the SRU's.

Updated for intrepid. If it's okay I'll start if the SRU's.

Hey Stefan,

The change looks good. However, the new bug for the new patch
isn't marked as a security vulnerability, and doesn't have a CVE
attached. While it may well be a security bug can you please
talk to the security team about ensuring it has a CVE etc.

Thanks,

James

Stefan, thanks for your patch, here are my bits:
- The indentation in the changelog is quite odd, please fix it according to the examples on the wiki
- You don't put the information about the CVE (in the bug which has it), please add it
- There is a ":" missing after debian/patches/03_fix_buffer_overflow

P.S: yes i know is pretty nitpicky, but that's how we work in the security team.

Milestoning so teaching doesn't cause us to forget to upload before release.

hehe, hope it's ok now

This bug was fixed in the package ssmtp - 2.62-1ubuntu3

---------------
ssmtp (2.62-1ubuntu3) intrepid; urgency=low

  * SECURITY UPDATE: allow remote attackers to obtain sensitive
    information (LP: #278978)
  * debian/patches/02-CVE-2008-3962: adjust in ssmtp.c to fix
    unitialized memory disclosure.
  * SECURITY UPDATE: Buffer overflow (LP: #282424)
  * debian/patches/03_fix_buffer_overflow: adjust ssmtp.c to fix
    a buffer overflow with using 2 bytes in length instead of one in buffer.
  * References:
    CVE-2008-3962
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498366

 -- Stefan Ebner <email address hidden> Tue, 07 Oct 2008 16:22:39 +0200

debdiff for hardy

patch for gutsy

patch fro dapper

Echoing IRC discussion: the Dapper patch needs to not use dpatch (should be patched inline unless there is a good reason to change build-deps).

Updating dapper patch.

New patch for dapper.

I'm performing tests using the following configuration:

<email address hidden>
mailhub=smtp.gmail.com:587
AuthUser=user
AuthPass=pass
UseSTARTTLS=YES

in hardy it worked ok, and had the same behavior with hardy's package and the new update. Still need to do the PoC

Tested for hardy and it's ok.

The change affected the from_format function, adding an exception in the case FromLineOverride is set to No and 'gecos' pointer is not initialized. The affected function is the one formating the "From:" field.

dapper tests worked ok.

All releases published in -security. Thanks nxvl!