Package: spamassassin
Version: 3.4.1-8
Severity: normal
Tags: patch security
Control: found -1 3.3.2-3
spamassassin.postinst has this in the "configure" stanza:
…
# Lets debian-spamd claim ownership of spamassassin updates on upgrades,
# unless the user has overridden.
if ! dpkg-statoverride --list /var/lib/spamassassin/* >/dev/null && \
[ "$OWNER:$GROUP" != "debian-spamd:debian-spamd" ]; then
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
OWNER=debian-spamd
GROUP=debian-spamd
fi
This means that (barring some special local administrative override of
how spamassassin updates are handled) upon package configuration,
there will be a recursive chown of the contents of
/var/lib/spamassassin to be owned by the debian-spamd user.
if the debian-spamd user account is compromised, and the kernel is
running without fs.protected_hardlinks=1, then debian-spamd can link
to arbitrary files on the same filesystem as this directory, and wait
for a package upgrade to gain ownership of them.
This problem exists at least in debian unstable, but it appears to go
back at least to 2012, when the debian-spamd user was introduced.
(most likely, the recursive chown was to make it easier to transition
existing setups that were already root-owned; those setups should now
be obsolete and we don't have to account for them any more).
It can be fixed simply by making this chown non-recursive:
diff --git a/debian/spamassassin.postinst b/debian/spamassassin.postinst
index 995a3bf..f9bf27f 100644
--- a/debian/spamassassin.postinst
+++ b/debian/spamassassin.postinst
@@ -23,7 +23,7 @@ if [ "$1" = "configure" ]; then
# unless the user has overridden.
if ! dpkg-statoverride --list /var/lib/spamassassin/* >/dev/null && \
[ "$OWNER:$GROUP" != "debian-spamd:debian-spamd" ]; then
- chown -R debian-spamd:debian-spamd /var/lib/spamassassin
+ chown debian-spamd:debian-spamd /var/lib/spamassassin
OWNER=debian-spamd
GROUP=debian-spamd
fi
Thanks for maintaining spamassassin in debian!
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'),
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages spamassassin depends on:
ii adduser 3.116
ii curl 7.58.0-2
ii init-system-helpers 1.51
ii libhtml-parser-perl 3.72-3+b2
ii libhttp-date-perl 6.02-1
ii libmail-dkim-perl 0.44-1
ii libnet-dns-perl 1.10-2
ii libnetaddr-ip-perl 4.079+dfsg-1+b2
ii libsocket6-perl 0.27-1+b3
ii libsys-hostname-long-perl 1.5-1
ii libwww-perl 6.31-1
ii lsb-base 9.20170808
ii perl 5.26.1-4
ii perl-modules-5.24 [libarchive-tar-perl] 5.24.1-7
ii perl-modules-5.26 [libarchive-tar-perl] 5.26.1-4
ii w3m 0.5.3-36
Versions of packages spamassassin recommends:
ii gnupg 2.2.4-1
ii libio-socket-inet6-perl 2.72-2
pn libmail-spf-perl <none>
ii libperl5.24 [libsys-syslog-perl] 5.24.1-7
ii libperl5.26 [libsys-syslog-perl] 5.26.1-4
pn sa-compile <none>
ii spamc 3.4.1-8
Versions of packages spamassassin suggests:
ii libdbi-perl 1.639-1
pn libencode-detect-perl <none>
pn libgeo-ip-perl <none>
ii libio-socket-ssl-perl 2.052-1
pn libnet-patricia-perl <none>
ii libperl5.24 [libcompress-zlib-perl] 5.24.1-7
ii libperl5.26 [libcompress-zlib-perl] 5.26.1-4
pn pyzor <none>
pn razor <none>
-- no debconf information
