Control: retitle -1 mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)
Hi, On Thu, Nov 07, 2019 at 07:55:56AM +0800, Paul Wise wrote: > Source: mailutils > Severity: serious > Tags: security fixed-upstream > > There is a local privilege escalation in the maidag utility: > > https://savannah.gnu.org/forum/forum.php?forum_id=9586 > > This version fixes important security flow. The maidag utility has > been withdrawn and three new programs have been included to provide > its functionality: local mail delivery agent mda, LMTP daemon lmtpd, > and user mail delivery tool putmail. > > https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS > > * The maidag utility is withdrawn > > The main purpose of this utility was to work as local mail delivery > agent (MDA), a program responsible for final delivery of email messages > to the recipient's mailbox. As such it required suid privileges. > > In parallel with its main purpose, it also was able to work in two > other modes: the 'url' mode, designed to deliver mails to arbitrary > mailbox URLs, and 'lmtp' mode, in which it acted as local mail > transport daemon. Neither of these needed suid privileges. > > The unfortunate design decision to combine the three modes in a single > versatile tool resulted in local privilege escalation threat in 'url' > mode. > > To fix this, maidag has been replaced by three different utilities, > each one with a precisely defined purpose and carefully designed > privileges: mda, lmtpd, and putmail. The issue has been assigned CVE-2019-18862. Regards, Salvatore
