From nobody@FreeBSD.org  Thu May  8 19:03:45 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 59DAB1065679
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  8 May 2008 19:03:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 48B288FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  8 May 2008 19:03:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m48J2m2q070160
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 8 May 2008 19:02:48 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m48J2mNM070159;
	Thu, 8 May 2008 19:02:48 GMT
	(envelope-from nobody)
Message-Id: <200805081902.m48J2mNM070159@www.freebsd.org>
Date: Thu, 8 May 2008 19:02:48 GMT
From: Richard Stockton <stockton@mail.adhost.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: master.passwd info included in postfix transport.db
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         123529
>Category:       kern
>Synopsis:       mail/postfix: master.passwd info included in postfix transport.db
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 08 19:10:01 UTC 2008
>Closed-Date:    Mon Apr 27 17:05:12 UTC 2009
>Last-Modified:  Mon Apr 27 17:05:12 UTC 2009
>Originator:     Richard Stockton
>Release:        6.x (actually happens on all 6.x  versions)
>Organization:
Adhost Internet
>Environment:
FreeBSD mail-in03.adhost.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 22 13:48:59 PDT 2007     stockton@mail-in03.adhost.com:/usr/src/sys/i386/compile/MAIL-IN03  i386
>Description:
These machines are incoming mail servers all running postfix 2.5.0.  When changing the transport table with "postmap" or running "newaliases" the .db file created contains not only the contents of the "transport" (or "aliases") file, but also the contents of the "/etc/master.passwd" file.  Obviously a security concern.

Wietse Veneme (wietse@porcupine.org) the author of postfix suggests this:
> Apparently, some SYSTEM LIBRARY Berkeley DB routine writes
> uninitialized memory to file. Postfix does not write Berkeley DB
> files directly.
>
> Have you sent a bug report to the FreeSBD bugs database?
>
> Solaris had a similar problem years ago with the tar(1) command.
> Not nice if you were putting tar files on anonymous FTP servers.


>How-To-Repeat:
Use postfix's "newalaises" or "postmap" to create .db files.

I believe the problem may be that the default "db.h" file shipped with FreeBSD is very old (version 1?) and even if you install BerkeleyDB via ports, ("/usr/ports/databases/db44"), that old db.h remains.  I suspect that postfix uses that old db.h file when compiling "postmap" and "newaliases".

>Fix:
I was able to fix the problem by using "makemap".

    makemap -N hash /etc/postfix/transport < /etc/postfix/transport
    makemap -N hash /etc/mail/aliases < /etc/mail/aliases


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ports-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu May 8 19:43:43 UTC 2008 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123529 
Responsible-Changed-From-To: freebsd-ports-bugs->mnag 
Responsible-Changed-By: mnag 
Responsible-Changed-When: Thu May 8 21:09:36 UTC 2008 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123529 

From: Richard Stockton <postfix@richardleestockton.org>
To: bug-followup@FreeBSD.org,stockton@mail.adhost.com
Cc:  
Subject: Re: ports/123529: mail/postfix: master.passwd info included in
  postfix transport.db
Date: Thu, 08 May 2008 14:44:51 -0700

 Wietse just sent me this...
 
 =================================================================================
 You may want to update the bug report.
 
 In /usr/src/lib/libc/db/README, it says compile with -DPURIFY
 otherwise it will write uninitialized memory to the file.
 
 I just checked, and this fixes the problem. You have to add a line
 with: #include <string.h> to /usr/src/lib/libc/db/db/hash/hash_buf.c
 
 Tested on FreeBSD 6.2.
 
 	Wietse
 
 Inside /usr/src/lib/libc/db/db/hash/hash_buf.c, the function
 __get_buf() contains little fragments of code like this:
 
 	if ((something = (whatever *) malloc(somesize)) == 0)
 	    error ...
      #ifdef PURIFY
 	    memset(something, 0xff, somesize);
      #endif
 
 With PURIFY disabled valgrind complains:
 
 valgrind --tool=memcheck -q --leak-check=yes --num-callers=12 
 postalias /tmp/aliases
 ==9084== Syscall param write(buf) contains uninitialised or 
 unaddressable byte(s)
 ==9084==    at 0x3C28632F: (within /lib/libc.so.6)
 ==9084==    by 0x3C277F86: __buf_free (in /lib/libc.so.6)
 ==9084==    by 0x3C2753D2: (within /lib/libc.so.6)
 ==9084==    by 0x80565F9: dict_db_close (dict_db.c:536)
 ==9084==    by 0x804C034: mkmap_close (mkmap_open.c:123)
 ==9084==    by 0x804A756: postalias (postalias.c:411)
 ==9084==    by 0x804B341: main (postalias.c:798)
 ==9084==  Address 0x3C2E3D56 is 34 bytes inside a block of size 4096 alloc'd
 ==9084==    at 0x3C038183: malloc (in 
 /usr/local/lib/valgrind/vgpreload_memcheck.so)
 ==9084==    by 0x3C277BB9: __get_buf (in /lib/libc.so.6)
 ==9084==    by 0x3C275493: (within /lib/libc.so.6)
 ==9084==    by 0x805622D: dict_db_update (dict_db.c:314)
 ==9084==    by 0x804A6BB: postalias (postalias.c:378)
 ==9084==    by 0x804B341: main (postalias.c:798)
 
 And many more complaints like this.
 ====================================================================================
 
 I note that in my FreeBSD 6.2-RELEASE #0 the .c file he mentions does 
 not exist.
 I have a "/usr/src/lib/libc/db/db/" directory with a "Makefile.inc" and "db.c"
 but it does not look like it was compiled into my custom kernel.
 
 uname -a shows:
 FreeBSD mail-in02.adhost.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Mon 
 May 14 16:42:38 PDT 
 2007 
 stockton@mail-in02.adhost.com:/usr/src/sys/i386/compile/MAIL-IN02  i386
 
 Hope that additional info helps.
 Thanks.
   - Richard
 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, stockton@mail.adhost.com
Cc:  
Subject: Re: ports/123529: mail/postfix: master.passwd info included in
	postfix transport.db
Date: Fri, 9 May 2008 17:06:07 +0300

 --/9DWx/yDrRhgMJTb
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Here's a patch against HEAD. (Compile tested only.)
 
 -- 
 Jaakko
 
 --/9DWx/yDrRhgMJTb
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="libc-db-PURIFY.diff"
 
 Index: db/hash/Makefile.inc
 ===================================================================
 RCS file: /home/ncvs/src/lib/libc/db/hash/Makefile.inc,v
 retrieving revision 1.5
 diff -p -u -r1.5 Makefile.inc
 --- db/hash/Makefile.inc	18 Nov 2002 09:50:54 -0000	1.5
 +++ db/hash/Makefile.inc	9 May 2008 14:02:04 -0000
 @@ -3,5 +3,7 @@
  
  .PATH: ${.CURDIR}/db/hash
  
 +CFLAGS+=-DPURIFY
 +
  SRCS+=	hash.c hash_bigkey.c hash_buf.c hash_func.c hash_log2.c \
  	hash_page.c ndbm.c
 Index: db/hash/hash_buf.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libc/db/hash/hash_buf.c,v
 retrieving revision 1.8
 diff -p -u -r1.8 hash_buf.c
 --- db/hash/hash_buf.c	9 Jan 2007 00:27:50 -0000	1.8
 +++ db/hash/hash_buf.c	9 May 2008 14:02:05 -0000
 @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD: src/lib/libc/db/hash
  #include <stddef.h>
  #include <stdio.h>
  #include <stdlib.h>
 +#include <string.h>
  
  #ifdef DEBUG
  #include <assert.h>
 
 --/9DWx/yDrRhgMJTb--

From: Adam Jacob Muller <lists@adam.gs>
To: bug-followup@FreeBSD.org, stockton@mail.adhost.com
Cc:  
Subject: Re: ports/123529: mail/postfix: master.passwd info included in postfix transport.db
Date: Thu, 19 Jun 2008 21:19:52 -0400

 I can verify that this patch works as intended on RELENG_6 and  
 RELENG_7, is there any chance of this getting committed?
 
 
 -Adam
 

From: Vivek Khera <vivek@khera.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/123529: mail/postfix: master.passwd info included in postfix transport.db
Date: Mon, 23 Jun 2008 09:39:10 -0400

 This appears to be a security bug in the system Berkeley DB, not  
 postfix.  Please reassign accordingly.
 
 Thanks!
 
Responsible-Changed-From-To: mnag->secteam 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Aug 4 07:53:57 UTC 2008 
Responsible-Changed-Why:  
Reassign to freebsd secteam. this might be something worth looking at... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123529 
State-Changed-From-To: open->feedback 
State-Changed-By: delphij 
State-Changed-When: Sat Mar 28 07:59:16 UTC 2009 
State-Changed-Why:  
Dear submitter, 

I think this problem should have been fixed with revision 190482. 
A copy of the patch is available at: 

http://people.freebsd.org/~delphij/misc/libc-190482.diff 

Would you please help us to test if this fixed the problem? 

Thanks in advance! 


Responsible-Changed-From-To: secteam->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Sat Mar 28 07:59:16 UTC 2009 
Responsible-Changed-Why:  
Track. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123529 

From: James <james@hicag.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123529: mail/postfix: master.passwd info included in postfix 
	transport.db
Date: Thu, 16 Apr 2009 19:19:07 -0500

 Hi all.  Because this bug effects me too, I gave the patch a test
 against 6.3 and it's working for me.  The Postfix maps no longer
 contain data from master.passwd or anything else that doesn't belong
 in there.
 
 I also did a patch and rebuild test against all other FreeBSD 6.X
 releases.  All happened without a problem.
 
 Thanks for your patch!
 
 -- 
 James.
State-Changed-From-To: feedback->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Apr 27 17:04:09 UTC 2009 
State-Changed-Why:  
A security advisory has been released as FreeBSD-SA-09:07.libc which 
fixed this problem on all supported branches and releases. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123529 
>Unformatted:
