Bug#321473: marked as done (metamail: DoS to users to prevent usage of showpartial through _hard_ links)
Your message dated Wed, 17 Aug 2005 13:17:17 -0700
with message-id <E1E5ULd-0005ik-00@spohr.debian.org>
and subject line Bug#321473: fixed in metamail 2.7-48
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Aug 2005 18:33:34 +0000
>From jfs@computer.org Fri Aug 05 11:33:34 2005
Return-path: <jfs@computer.org>
Received: from 148.red-213-96-98.pooles.rima-tde.net (silicio) [213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E170g-0000pv-00; Fri, 05 Aug 2005 11:33:34 -0700
Received: from jfs by silicio with local (Exim 4.52)
id 1E170e-0001vS-Fz
for submit@bugs.debian.org; Fri, 05 Aug 2005 20:33:32 +0200
Date: Fri, 5 Aug 2005 20:33:32 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: metamail: DoS to users to prevent usage of showpartial through _hard_ links
Message-ID: <[🔎] 20050805183332.GA7249@silicio>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="L6iaP+gRLNZHKoI4"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--L6iaP+gRLNZHKoI4
Content-Type: multipart/mixed; boundary="z6Eq5LdranGa6ru8"
Content-Disposition: inline
--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: metamail
Version: 2.7-47
Priority: normal
Tags: security patch
While reviewing scripts for instances of symlink vulnerabilities I've found
a possible denial of service condition for users that try to use showpartia=
l.
The showpartial script of metamail has a temporary hardcoded path
for the users downloaded messages set to $METAMAIL_TMPDIR/msg-parts-`whoami`
with $METAMAIL_TMPDIR being /tmp unless otherwise defined.
In order to prevent symlink attacks the script does this:
-----------------------------------------------------------------------
mkdir $TREEROOT 2>/dev/null || true
if OUTPUT=3D$(find $TREEROOT -maxdepth 0 -user `whoami` -print 2>/dev/null)=
&&
[ -n $OUTPUT ]
then
:
else
echo mkdir $TREEROOT failed
exit 1
fi
-----------------------------------------------------------------------
Which basicly creates the temporary directory and tries to determine
if it indeed belongs to the running user. If it is not able to create
it, or it doesn't belong to the running user it bails out.
The script, however, does not cope with the fact that a rogue user could
just create _hard_ (not symbolic) links to files in the same partition
belonging to the user which tries to run this script to the temporary
file. If he does this, then a msg-parts-$USER file would exist that belongs
to the user (so find returns it). In this situation, the script
is never able to go ahead and do its work and, thus, a rogue user
can prevent execution of this script for all $USERs in a system.
It would be best if the script tested for this case. The attached patch
copes with this by removing TREEROOT if it exists but is not a directory.
I believe using mktemp in the script is not possible since the directory
needs to be present in succesive runs. An alternative would be to=20
use mktemp to set the temporary dir and store this information in the
user's directory (~/.metamail_treeroot for example). Just for the fun
of it, attached is also a patch that implements that alternative.
Even better, the script could also try to use safer temporary directories
(for example, if $TMPDIR has been defined by the user and exists)
instead of introducing yet another environment variable for temporary
directories. But it seems that all the source code of this (ancient)
package uses the METAMAIL_TMPDIR variable.
Regards
Javier
--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="metamail_showpartial.diff"
Content-Transfer-Encoding: quoted-printable
--- showpartial.orig 2005-08-05 20:07:50.000000000 +0200
+++ showpartial 2005-08-05 20:10:21.000000000 +0200
@@ -52,6 +52,7 @@
totalnum=3D$4
fi
=20
+[ -e $TREEROOT ] && [ ! -d $TREEROOT ] && rm -f $TREEROOT
mkdir $TREEROOT 2>/dev/null || true
if OUTPUT=3D$(find $TREEROOT -maxdepth 0 -user `whoami` -print 2>/dev/null=
) &&
[ -n $OUTPUT ]
--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="metamail_showpartial.hometree.diff"
Content-Transfer-Encoding: quoted-printable
--- showpartial.orig 2005-08-05 20:07:50.000000000 +0200
+++ showpartial 2005-08-05 20:28:52.000000000 +0200
@@ -30,7 +30,7 @@
METAMAIL_TMPDIR=3D/tmp
fi
=20
-TREEROOT=3D$METAMAIL_TMPDIR/msg-parts-`whoami`
+
=20
if test -z "$3" -o ! -z "$5"
then
@@ -52,16 +52,19 @@
totalnum=3D$4
fi
=20
-mkdir $TREEROOT 2>/dev/null || true
-if OUTPUT=3D$(find $TREEROOT -maxdepth 0 -user `whoami` -print 2>/dev/null=
) &&
- [ -n $OUTPUT ]
-then
- :
+if [ -n "$HOME" ] ; then
+# If we have a home directory, create a temporary dir and
+# store the name there unless the file already exists
+# and the directory it points to is valid directory
+ [ -e "$HOME/.metamail_treeroot" ] && TREEROOT=3D`cat $HOME/.metamail_tree=
root`
+ [ -e "$TREEROOT" ] && [ ! -d "$TREEROOT" ] && rm -f "$TREEROOT"=20
+ if [ ! -e "$HOME/.metamail_treeroot" ] || [ ! -e "$TREEROOT" ]; then
+ TREEROOT=3D`mktemp -d -t msg-parts.XXXXXX` || { echo "$0: Cannot create =
temporary dir!" >&2 ; exit 1; }
+ echo $TREEROOT >$HOME/.metamail_treeroot
+ fi
else
- echo mkdir $TREEROOT failed
- exit 1
+ TREEROOT=3D$METAMAIL_TMPDIR/msg-parts-`whoami`
fi
-
if test ! -d "${TREEROOT}/$id"
then
mkdir "${TREEROOT}/$id"
--z6Eq5LdranGa6ru8--
--L6iaP+gRLNZHKoI4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC87D8sandgtyBSwkRAjbaAKCDxMfgyLj388g1ugUlCoLXshyTuQCeLiDA
kVBqBgnhLGa+Ns/VS1YjJks=
=hzE6
-----END PGP SIGNATURE-----
--L6iaP+gRLNZHKoI4--
---------------------------------------
Received: (at 321473-close) by bugs.debian.org; 17 Aug 2005 20:28:41 +0000
>From katie@spohr.debian.org Wed Aug 17 13:28:41 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1E5ULd-0005ik-00; Wed, 17 Aug 2005 13:17:17 -0700
From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
To: 321473-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#321473: fixed in metamail 2.7-48
Message-Id: <E1E5ULd-0005ik-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Wed, 17 Aug 2005 13:17:17 -0700
Delivered-To: 321473-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 5
Source: metamail
Source-Version: 2.7-48
We believe that the bug you reported is fixed in the latest version of
metamail, which is due to be installed in the Debian FTP archive:
metamail_2.7-48.diff.gz
to pool/main/m/metamail/metamail_2.7-48.diff.gz
metamail_2.7-48.dsc
to pool/main/m/metamail/metamail_2.7-48.dsc
metamail_2.7-48_i386.deb
to pool/main/m/metamail/metamail_2.7-48_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 321473@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated metamail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Aug 2005 00:17:20 +0200
Source: metamail
Binary: metamail
Architecture: source i386
Version: 2.7-48
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description:
metamail - implementation of MIME
Closes: 311450 311451 311452 311453 321473
Changes:
metamail (2.7-48) unstable; urgency=low
.
* QA Group upload by Javier Fernandez-Sanguino
* Fix typos in manpages with patches provided by A Costa (Closes: #311450,
#311451, #311452, #311453)
* Fix use of temporary files in showpartial so that uses cannot introduce
a DOS through the use of hard links. Temporary files are created with
mktemp and their filename is stored in ~/.metamail_treeroot (Closes:
#321473)
Files:
ebab53906f2624a01c6eaea691668a94 700 mail optional metamail_2.7-48.dsc
89c20ef55357765c2989dfc8ca325b24 342127 mail optional metamail_2.7-48.diff.gz
4aceb6afcdebb57eea9a86098f3c8740 150156 mail optional metamail_2.7-48_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iQCVAwUBQwJprftEPvakNq0lAQL0jwP/R3uN8LauV/Vy5yFKwwpMAoyJRzqxuQqv
xhc2a7pAmIAiTkSHoIiy+/9avAbYLX4kl9DwibWldKl41jnBt3tiC0f5C8EwkmR1
8s9mdQ6QoCaLvNFcDALfHK/usHzrZZdj7yq6Zw2Z7zl9JyAVjWPWMTL/8pyA6kJ3
1dK4Fx3oRAM=
=SgzR
-----END PGP SIGNATURE-----
Reply to: