Your message dated Tue, 17 May 2005 16:49:15 +0200
with message-id <[EMAIL PROTECTED]>
and subject line [CAN-2004-1808] Not a bug
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 21:50:42 +0000
>From [EMAIL PROTECTED] Thu May 12 14:50:42 2005
Return-path: <[EMAIL PROTECTED]>
Received: from krepost.taket.org (localhost) [82.233.235.217]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWLZq-0003fC-00; Thu, 12 May 2005 14:50:42 -0700
Received: from djoume by localhost with local (Exim 4.50)
id 1DWLZh-0007zJ-5v; Thu, 12 May 2005 23:50:33 +0200
Content-Type: multipart/mixed; boundary="===============1025160442=="
MIME-Version: 1.0
From: Djoume SALVETTI <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: metamail: Metamail 'extcompose' script Symlink Vulnerability
X-Mailer: reportbug 3.12
Date: Thu, 12 May 2005 23:50:27 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1025160442==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: metamail
Severity: normal
Tags: security patch
Good day,
>From CAN-2004-1808 :
| Extcompose in metamail does not verify the output file before writing
| to it, which allows local users to overwrite arbitrary files via a
| symlink attack.
More info is available here :
http://archives.neohapsis.com/archives/bugtraq/2004-03/0118.html
I think the attached (trivial) patch fixed the problem.
Regards
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc3
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages metamail depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libncurses5 5.4-4 Shared libraries for terminal hand
--===============1025160442==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="metamail.patch"
diff -ru metamail-2.7/bin/extcompose metamail-2.7.djo/bin/extcompose
--- metamail-2.7/bin/extcompose 2005-05-12 23:36:41.000000000 +0200
+++ metamail-2.7.djo/bin/extcompose 2005-05-12 23:35:45.000000000 +0200
@@ -17,6 +17,12 @@
fi
OUTFNAME=$1
+if [ -e $OUTFNAME ]
+then
+ echo "Error : $OUTFNAME already exist." 1>&2
+ exit 1
+fi
+
choosing=yes
while [ $choosing = yes ]
do
--===============1025160442==--
---------------------------------------
Received: (at 308875-done) by bugs.debian.org; 17 May 2005 14:49:17 +0000
>From [EMAIL PROTECTED] Tue May 17 07:49:17 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 220pc220.sshunet.nl (mordor.wolffelaar.nl) [145.97.220.220]
(Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DY3Nk-0003mt-00; Tue, 17 May 2005 07:49:17 -0700
Received: from jeroen by mordor.wolffelaar.nl with local (Exim 4.50)
id 1DY3Nj-0008AT-4U; Tue, 17 May 2005 16:49:15 +0200
Date: Tue, 17 May 2005 16:49:15 +0200
To: Djoume SALVETTI <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], Shaun Colley <[EMAIL PROTECTED]>,
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [CAN-2004-1808] Not a bug
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
From: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_10 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Thu, May 12, 2005 at 11:50:27PM +0200, Djoume SALVETTI wrote:
> Good day,
>
> >>From CAN-2004-1808 :
>
> | Extcompose in metamail does not verify the output file before writing
> | to it, which allows local users to overwrite arbitrary files via a
> | symlink attack.
>
> More info is available here :
>
> http://archives.neohapsis.com/archives/bugtraq/2004-03/0118.html
This is not a bug:
If one calls "extcompose $file", one expects it to write to that file,
whether or not that's a symlink. It's only a potential problem of a
program invoking "extcompose" with an improperly secured temporary file,
extcompose itself cannot do anything about this.
With the typical use, mailcap, a mail user agent will ensure the file
it's invoked on is secure, if not, that's a bug in that mail user agent.
Annoyingly, I only noticed this when preparing an upload for this bug
and noticing one cannot really fix this one.
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED]
http://jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
