diff options
Diffstat (limited to 'metadata/glsa/glsa-200808-12.xml')
| -rw-r--r-- | metadata/glsa/glsa-200808-12.xml | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200808-12.xml b/metadata/glsa/glsa-200808-12.xml new file mode 100644 index 000000000000..4811e99d62ab --- /dev/null +++ b/metadata/glsa/glsa-200808-12.xml @@ -0,0 +1,123 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="200808-12"> + <title>Postfix: Local privilege escalation vulnerability</title> + <synopsis> + Postfix incorrectly checks the ownership of a mailbox, allowing, in certain + circumstances, to append data to arbitrary files on a local system with + root privileges. + </synopsis> + <product type="ebuild">postfix</product> + <announced>2008-08-14</announced> + <revised count="02">2008-10-23</revised> + <bug>232642</bug> + <access>local</access> + <affected> + <package name="mail-mta/postfix" auto="yes" arch="*"> + <unaffected range="rge">2.4.7-r1</unaffected> + <unaffected range="ge">2.5.3-r1</unaffected> + <unaffected range="rge">2.4.8</unaffected> + <unaffected range="ge">2.4.9</unaffected> + <vulnerable range="lt">2.5.3-r1</vulnerable> + </package> + </affected> + <background> + <p> + Postfix is Wietse Venema's mailer that attempts to be fast, easy to + administer, and secure, as an alternative to the widely-used Sendmail + program. + </p> + </background> + <description> + <p> + Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail + to root-owned symlinks in an insecure manner under certain conditions. + Normally, Postfix does not deliver mail to symlinks, except to + root-owned symlinks, for compatibility with the systems using symlinks + in /dev like Solaris. Furthermore, some systems like Linux allow to + hardlink a symlink, while the POSIX.1-2001 standard requires that the + symlink is followed. Depending on the write permissions and the + delivery agent being used, this can lead to an arbitrary local file + overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix + delivery agent does not properly verify the ownership of a mailbox + before delivering mail (CVE-2008-2937). + </p> + </description> + <impact type="high"> + <p> + The combination of these features allows a local attacker to hardlink a + root-owned symlink such that the newly created symlink would be + root-owned and would point to a regular file (or another symlink) that + would be written by the Postfix built-in local(8) or virtual(8) + delivery agents, regardless the ownership of the final destination + regular file. Depending on the write permissions of the spool mail + directory, the delivery style, and the existence of a root mailbox, + this could allow a local attacker to append a mail to an arbitrary file + like /etc/passwd in order to gain root privileges. + </p> + <p> + The default configuration of Gentoo Linux does not permit any kind of + user privilege escalation. + </p> + <p> + The second vulnerability (CVE-2008-2937) allows a local attacker, + already having write permissions to the mail spool directory which is + not the case on Gentoo by default, to create a previously nonexistent + mailbox before Postfix creates it, allowing to read the mail of another + user on the system. + </p> + </impact> + <workaround> + <p> + The following conditions should be met in order to be vulnerable to + local privilege escalation. + </p> + <ul> + <li>The mail delivery style is mailbox, with the Postfix built-in + local(8) or virtual(8) delivery agents.</li> + <li>The mail spool directory (/var/spool/mail) is user-writeable.</li> + <li>The user can create hardlinks pointing to root-owned symlinks + located in other directories.</li> + </ul> + <p> + Consequently, each one of the following workarounds is efficient. + </p> + <ul> + <li>Verify that your /var/spool/mail directory is not writeable by a + user. Normally on Gentoo, only the mail group has write access, and no + end-user should be granted the mail group ownership.</li> + <li>Prevent the local users from being able to create hardlinks + pointing outside of the /var/spool/mail directory, e.g. with a + dedicated partition.</li> + <li>Use a non-builtin Postfix delivery agent, like procmail or + maildrop.</li> + <li>Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" + for example).</li> + </ul> + <p> + Concerning the second vulnerability, check the write permissions of + /var/spool/mail, or check that every Unix account already has a + mailbox, by using Wietse Venema's Perl script available in the official + advisory. + </p> + </workaround> + <resolution> + <p> + All Postfix users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"</code> + </resolution> + <references> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936">CVE-2008-2936</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937">CVE-2008-2937</uri> + <uri link="https://article.gmane.org/gmane.mail.postfix.announce/110">Official Advisory</uri> + </references> + <metadata tag="submitter" timestamp="2008-08-14T13:13:26Z"> + falco + </metadata> + <metadata tag="bugReady" timestamp="2008-08-14T22:37:03Z"> + falco + </metadata> +</glsa> |