mgetty vulnerable?

To: debian-security@lists.debian.org
Cc: gert.doering@physik.tu-muenchen.de
Subject: mgetty vulnerable?
From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
Date: Thu, 1 May 2003 16:32:05 -0500 (CDT)
Message-id: <Pine.GSO.4.40.0305011615550.22452-100000@deneb.cc.umanitoba.ca>

I don't know whether potato, woody, sarge and sid should have a security
bug filed against them.

According to http://packages.qa.debian.org/m/mgetty.html sid has version
1.1.30-1, sarge has version 1.1.28-5, and woody has version 1.1.27-4.1.
Note that Debian packages contain changes. I have not looked to see if
these changes might fix the issues, but they should be visible in the
http://saens.debian.org/debian/pool/main/m/mgetty/ directory as the
*.diff.gz files.

Note that it looks like potato contains mgetty 1.1.21-3potato1 which is a
version of mgetty that contains a security fix that fixes the "Immunix
reports that mgetty does not create temporary files in a secure manner,
which could lead to a symlink attack." bug. I'd imagine this change would
have been incorporated in later versions.

The changelog for version 1.1.23-3 says:
mgetty (1.1.21-3) stable; urgency=low

  * make mgetty-fax's postinst create /var/spool/fax/outgoing/.last_run
    to close a potential symlink exploit by members of the fax group
    that is otherwise possible until that file is created

 -- Philip Hands <phil@hands.com>  Thu, 31 Aug 2000 19:05:13 +0100
I can't see a changelog for version 1.1.23-3potato1, so maybe this is the
diff file for that.

http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgetty
says:
[...]
Security fixes / concept changes:

 * it's now possible to run faxrunq/faxrunqd (and thus sendfax) as
   non-root user

 * fax spool directories are no longer world-writeable, access is done
   via a suid helper program (suid to a special user ID, "fax")

 * possible buffer overrun when calling cnd-program (if CallerName is
   too long)

 * $CALLER_ID, $CALLER_NAME and so on are sanitized before passing to shell
   (all quote characters and all non-printable characters are replaced by " ")
[...]
Who should upgrade?

 * everbody who is using faxspool/faxrunq on a machine that is shared
   with other users that are not 100 per cent trustworthy

 * vgetty users with V.253 modems


Distribution vendors:

 - I strongly urge you to upgrade to 1.1.29 - older versions are NOT safe
   if there are malicious users on the system and faxrunq/faxrunqd are in
   use.

 - The fax queue handling (faxspool, faxq-helper) needs a new user ID
   now ("fax") which MUST own the fax queue directories and SHOULD NOT
   own anything else.  The user ID is configured in the Makefile.

 - faxrunq/faxrunqd can run as user "fax", but in that case the user
   needs access to the modem devices (via his primary group id).

   Watch out for log file access permissions if this is used!


If anything is unclear, *please* talk to me before rolling out updated
packages that might break things in funny ways.
[...]

Please don't mail team@security.debian.org until you are reasonably cetain
potato or woody are vulnerable.

     Drew Daniels

Reply to:

Follow-Ups:
- Re: mgetty vulnerable?
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: mgetty vulnerable
  - From: Wolfgang Sourdeau <was@debian.org>

Prev by Date: Re: Injectso to help with libc upgrades?
Next by Date: Re: [despammed] Re: Secure remote syslogging?
Previous by thread: Re: Injectso to help with libc upgrades?
Next by thread: Re: mgetty vulnerable?
Index(es):
- Date
- Thread