Package: fidogate
Version: 4.4.7-2
Severity: grave
Tags: security
Neils Heinen found that a local attacker can use setuid programs
installed as part of fidogate to create or append to files with the
privileges of the `ftn' user. Binaries ffx, ftnafmail, and rfc2ftn
will open any file specified by the LOGFILE or FIDOGATE_LOGFILE
environment variable.
fidogate 4.4.10 fixes this by removing the vulnerable code (patch
below).
To reproduce:
$ ls -l /tmp/example
ls: /tmp/example: No such file or directory
$ LOGFILE=/tmp/example /usr/lib/fidogate/ffx
$ ls -l /tmp/example
-rw-r--r-- 1 ftn users 99 Aug 13 19:05 /tmp/example
References:
<http://www.securityfocus.com/bid/11005>
<http://securitytracker.com/id?1011021>
Thanks,
Matej
Index: fidogate/src/common/log.c
===================================================================
RCS file: /cvsroot/fidogate/fidogate/src/common/log.c,v
retrieving revision 4.21
retrieving revision 4.22
diff -u -b -I\$Id -r4.21 -r4.22
--- fidogate/src/common/log.c 16 Feb 2003 15:38:56 -0000 4.21
+++ fidogate/src/common/log.c 20 Aug 2004 21:21:39 -0000 4.22
@@ -280,8 +280,10 @@
BUF_COPY(logprog, name);
+#if 0 /**NOT NEEDED AND SECURITY RISK**/
if( (p = getenv("LOGFILE")) )
log_file(p);
if( (p = getenv("FIDOGATE_LOGFILE")) )
log_file(p);
+#endif
}
