# sSMTP 2.62 Buffer Overflow

## TheBunman

Hi,

today I found this in my apache log:

 *Quote:*   

> 
> 
> *** buffer overflow detected ***: /usr/sbin/sendmail terminated
> 
> ======= Backtrace: =========
> ...

 

I think that it is this problem: http://www.securityfocus.com/bid/41965

sSMTP is used on almost all my gentoo boxes in combination with PHP so this happens also when someone pastes the string from the bulletin into an contact form.

So now I am a bit concerned about the impact this can has on my system.

Also I read the bug concerning the line ending problem in 2.64.

So my questin is what should I do to have my systems sound and safe.

Best regards

TheBunman

----------

## TheBunman

Hi,

does really no one else here consider this buffer overflow as an problem?

There is no updated ebuild to an package containing an buffer overflow which could be used for an DOS and possibly for more. (There is already an updated sSMTP version aviable.) And an concerned sysadmin does not even get an response from anyone in the gentoo forums.

Maybe my question was unclear? Or did I misunderstand the security bulletin?

I would have written an ebuild for version 2.64 but I am not sure if the line ending problem (which is AFAIK also in 2.62) is an show stopper.

-> http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg789435.html

Any help would be much appreciated.

Best regards

TheBunman

EDIT: added link to 2.64 debian report

----------

## Hu

It is a problem, but what do you want us to do about it?  Fixing it probably requires a code patch.  Though developers read the forums, most of the more active responders are not Gentoo developers, so we would have no access to commit a code fix even if we had the patch to implement it.  Based on what you have shown, it is probably not allowing code execution due to -fstack-protector killing the process beforehand.

----------

## TheBunman

Hi Hu,

I didn't mean that you (ie the gentoo team) should write an patch. My intention was that I need to know how I should manage this problem.

Probably I'll set up postfix to do the job sSMTP does at the moment.

Thank you

TheBunman

----------

## Rider

Hi

I have the same problem together with sieve/dovecot/ssmtp. As an alternative to ssmtp I'm using msmtp now.

Regards

Chris

----------

