Debian Security Advisory

DSA-1501-1 dspam -- programming error

Date Reported:

21 Feb 2008

Affected Packages:

dspam

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 448519.
In Mitre's CVE dictionary: CVE-2007-6418.

More information:

Tobias Grützmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line. This allowed a local attacker to read the contents of the dspam database, such as emails.

The old stable distribution (sarge) does not contain the dspam package.

For the stable distribution (etch), this problem has been fixed in version 3.6.8-5etch1.

For the unstable distribution (sid), this problem has been fixed in version 3.6.8-5.1.

We recommend that you upgrade your dspam package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8.orig.tar.gz; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1.dsc; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/d/dspam/dspam-doc_3.6.8-5etch1_all.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam-webfrontend_3.6.8-5etch1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_alpha.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_amd64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_arm.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_hppa.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_i386.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_ia64.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_mips.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_mips.deb
PowerPC:: http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_powerpc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_s390.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-dev_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/libdspam7_3.6.8-5etch1_sparc.deb; http://security.debian.org/pool/updates/main/d/dspam/dspam_3.6.8-5etch1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.