Bug#564601: marked as done (possible problems when switching UID/GIDs in delivery mode when run as root)

[Debian Bug Tracking System]

Your message dated Thu, 04 Feb 2010 19:52:49 +0000
with message-id <e1nd7kv-0002sh...@ries.debian.org>
and subject line Bug#564601: fixed in maildrop 2.0.4-3+lenny1
has caused the Debian Bug report #564601,
regarding possible problems when switching UID/GIDs in delivery mode when run 
as root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
564601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: maildrop
Justification: user security hole
Severity: grave
Tags: security

Hi.

Not sure if this actually a hole or if I just misunderstand
something,... but:

In debian /usr/bin/maildrop ist installed:
-rwxr-sr-x 1 root mail 163k Nov  9 01:11 /usr/bin/maildrop

So I'd expect that the following invocation (as root!!):
# maildrop -d vmail
results in something like the following contents of /tmp/foo:
uid=115(vmail) gid=119(vmail) groups=119(vmail),119(vmail)
when ~vmail/.mailfilter is:
`id`

Right so far?
It does however result in:
uid=115(vmail) gid=0(root) groups=119(vmail),0(root)
which can be quite security critical as it now has root-group
privileges.


Cheers,
Chris.

--- End Message ---

--- Begin Message ---

Source: maildrop
Source-Version: 2.0.4-3+lenny1

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_2.0.4-3+lenny1.diff.gz
  to main/m/maildrop/maildrop_2.0.4-3+lenny1.diff.gz
maildrop_2.0.4-3+lenny1.dsc
  to main/m/maildrop/maildrop_2.0.4-3+lenny1.dsc
maildrop_2.0.4-3+lenny1_i386.deb
  to main/m/maildrop/maildrop_2.0.4-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jan 2010 22:55:05 +0100
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 2.0.4-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Josip Rodin <joy-packa...@debian.org>
Changed-By: Steffen Joeris <wh...@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 564601
Changes: 
 maildrop (2.0.4-3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix privilege escalation bug when using maildrop -d
     (Closes: #564601) Thanks to Sam Varshavchik
Checksums-Sha1: 
 393d844c1837fe560e5b156c763aff185ac06456 1137 maildrop_2.0.4-3+lenny1.dsc
 5156fd335b6740e045d85d8cbd1c5fab07467c05 3566630 maildrop_2.0.4.orig.tar.gz
 8a4eaeb1679f9167f20c5b814d43307703ebb6a0 807697 maildrop_2.0.4-3+lenny1.diff.gz
 cb4a12b9c3fa653c5d6a017641ca1efa257d5e1e 359326 
maildrop_2.0.4-3+lenny1_i386.deb
Checksums-Sha256: 
 a214a8fc5dee575cc8c3834dba17615f74fde47491a51b7629e3a30fa9b47d5f 1137 
maildrop_2.0.4-3+lenny1.dsc
 6950ab27650f19ec6e45c3dfc546722f38142aa3d23332436f7b9009f8be7364 3566630 
maildrop_2.0.4.orig.tar.gz
 2e777f44255795da01b3d6b43f94a8448f1ea3b101591ad514665973e4d3ab06 807697 
maildrop_2.0.4-3+lenny1.diff.gz
 68ad0a6ec640b1aa2735cd5afcd4776c75d172b9f937036d3ac08918b15eaed0 359326 
maildrop_2.0.4-3+lenny1_i386.deb
Files: 
 fc8c7f28371afe62703db1c24103f348 1137 mail optional maildrop_2.0.4-3+lenny1.dsc
 78e6c27afe7eff9e132b8bc20087aae7 3566630 mail optional 
maildrop_2.0.4.orig.tar.gz
 85669f0b67c38a7e55e3f22e9431ea65 807697 mail optional 
maildrop_2.0.4-3+lenny1.diff.gz
 1e1b2e94312f7074321d5b11dc3524f5 359326 mail optional 
maildrop_2.0.4-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktgt7cACgkQ62zWxYk/rQcPWACdFH+Ba16xcqmbIlktWyIH3ayQ
ZjcAnivI86PTzS/rXeRKXDHQZ04ICl+q
=kuLq
-----END PGP SIGNATURE-----

--- End Message ---