[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#308875: marked as done (metamail: Metamail 'extcompose' script Symlink Vulnerability)



Your message dated Tue, 17 May 2005 16:49:15 +0200
with message-id <20050517144914.GA30364@wolffelaar.nl>
and subject line [CAN-2004-1808] Not a bug
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 21:50:42 +0000
>From djoume@taket.org Thu May 12 14:50:42 2005
Return-path: <djoume@taket.org>
Received: from krepost.taket.org (localhost) [82.233.235.217] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DWLZq-0003fC-00; Thu, 12 May 2005 14:50:42 -0700
Received: from djoume by localhost with local (Exim 4.50)
	id 1DWLZh-0007zJ-5v; Thu, 12 May 2005 23:50:33 +0200
Content-Type: multipart/mixed; boundary="===============1025160442=="
MIME-Version: 1.0
From: Djoume SALVETTI <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: metamail: Metamail 'extcompose' script Symlink Vulnerability
X-Mailer: reportbug 3.12
Date: Thu, 12 May 2005 23:50:27 +0200
X-Debbugs-Cc: djoume@taket.org
Message-Id: <E1DWLZh-0007zJ-5v@localhost>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

This is a multi-part MIME message sent by reportbug.

--===============1025160442==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: metamail
Severity: normal
Tags: security patch


Good day,

>From CAN-2004-1808 :

| Extcompose in metamail does not verify the output file before writing
| to it, which allows local users to overwrite arbitrary files via a
| symlink attack.

More info is available here :

http://archives.neohapsis.com/archives/bugtraq/2004-03/0118.html

I think the attached (trivial) patch fixed the problem.

Regards

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc3
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages metamail depends on:
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand

--===============1025160442==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="metamail.patch"

diff -ru metamail-2.7/bin/extcompose metamail-2.7.djo/bin/extcompose
--- metamail-2.7/bin/extcompose	2005-05-12 23:36:41.000000000 +0200
+++ metamail-2.7.djo/bin/extcompose	2005-05-12 23:35:45.000000000 +0200
@@ -17,6 +17,12 @@
 fi
 OUTFNAME=$1
 
+if [ -e $OUTFNAME ]
+then
+		echo "Error : $OUTFNAME already exist." 1>&2
+		exit 1
+fi
+
 choosing=yes
 while [ $choosing = yes ]
 do

--===============1025160442==--

---------------------------------------
Received: (at 308875-done) by bugs.debian.org; 17 May 2005 14:49:17 +0000
>From jeroen@wolffelaar.nl Tue May 17 07:49:17 2005
Return-path: <jeroen@wolffelaar.nl>
Received: from 220pc220.sshunet.nl (mordor.wolffelaar.nl) [145.97.220.220] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DY3Nk-0003mt-00; Tue, 17 May 2005 07:49:17 -0700
Received: from jeroen by mordor.wolffelaar.nl with local (Exim 4.50)
	id 1DY3Nj-0008AT-4U; Tue, 17 May 2005 16:49:15 +0200
Date: Tue, 17 May 2005 16:49:15 +0200
To: Djoume SALVETTI <djoume@taket.org>, 308875-done@bugs.debian.org
Cc: cve@mitre.org, joeyh@debian.org, Shaun Colley <shaunige@yahoo.co.uk>,
	iko@debian.org, az@debian.org, pjb@debian.org
Subject: [CAN-2004-1808] Not a bug
Message-ID: <20050517144914.GA30364@wolffelaar.nl>
References: <E1DWLZh-0007zJ-5v@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E1DWLZh-0007zJ-5v@localhost>
User-Agent: Mutt/1.5.9i
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Delivered-To: 308875-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_10 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Thu, May 12, 2005 at 11:50:27PM +0200, Djoume SALVETTI wrote:
> Good day,
> 
> >>From CAN-2004-1808 :
> 
> | Extcompose in metamail does not verify the output file before writing
> | to it, which allows local users to overwrite arbitrary files via a
> | symlink attack.
> 
> More info is available here :
> 
> http://archives.neohapsis.com/archives/bugtraq/2004-03/0118.html

This is not a bug:

If one calls "extcompose $file", one expects it to write to that file,
whether or not that's a symlink. It's only a potential problem of a
program invoking "extcompose" with an improperly secured temporary file,
extcompose itself cannot do anything about this.

With the typical use, mailcap, a mail user agent will ensure the file
it's invoked on is secure, if not, that's a bug in that mail user agent.

Annoyingly, I only noticed this when preparing an upload for this bug
and noticing one cannot really fix this one.
 
--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Reply to: