CVE-2015-7687: Use After Free
First published: Mon Oct 05 2015(Updated: )
Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd); - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection; - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; Further details can be found in Qualys' audit report: <a href="http://seclists.org/oss-sec/2015/q4/17">http://seclists.org/oss-sec/2015/q4/17</a> MITRE has assigned one CVE for the use-after-free vulnerability; additional CVEs may be assigned: <a href="http://seclists.org/oss-sec/2015/q4/23">http://seclists.org/oss-sec/2015/q4/23</a> External References: <a href="https://www.opensmtpd.org/announces/release-5.7.2.txt">https://www.opensmtpd.org/announces/release-5.7.2.txt</a> <a href="http://seclists.org/oss-sec/2015/q4/17">http://seclists.org/oss-sec/2015/q4/17</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/OpenSMTPD | <5.7.2 | 5.7.2 |
| OpenBSD OpenSMTPD | <=5.7.1 | |
| Fedoraproject Fedora | =22 | |
| Fedoraproject Fedora | =23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2015/q4/17
- http://seclists.org/oss-sec/2015/q4/23
- https://www.opensmtpd.org/announces/release-5.7.2.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1268794
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1268795
- https://bugzilla.redhat.com/show_bug.cgi?id=1268793
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170448.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169600.html
- http://www.openwall.com/lists/oss-security/2015/10/03/1
- http://www.securityfocus.com/bid/76975
- https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt
- collector/nvd-index
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-7687
- agent/software-canonical-lookup
- vendor/openbsd
- canonical/openbsd opensmtpd
- version/openbsd opensmtpd/5.7.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/22
- version/fedoraproject fedora/23
- package-manager/redhat