Bug#382844: marked as done (fidogate: privilege escalation)

Sat, 19 Aug 2006 09:43:16 -0700 

Your message dated Sat, 19 Aug 2006 18:28:06 +0200 (CEST)
with message-id <[EMAIL PROTECTED]>
and subject line Fidogate has been removed from Debian
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: fidogate
Version: 4.4.7-2
Severity: grave
Tags: security

Neils Heinen found that a local attacker can use setuid programs
installed as part of fidogate to create or append to files with the
privileges of the `ftn' user.  Binaries ffx, ftnafmail, and rfc2ftn
will open any file specified by the LOGFILE or FIDOGATE_LOGFILE
environment variable.

fidogate 4.4.10 fixes this by removing the vulnerable code (patch
below).

To reproduce:

    $ ls -l /tmp/example
    ls: /tmp/example: No such file or directory
    $ LOGFILE=/tmp/example /usr/lib/fidogate/ffx
    $ ls -l /tmp/example
    -rw-r--r-- 1 ftn users 99 Aug 13 19:05 /tmp/example

References:

    <http://www.securityfocus.com/bid/11005>
    <http://securitytracker.com/id?1011021>

Thanks,

Matej

Index: fidogate/src/common/log.c
===================================================================
RCS file: /cvsroot/fidogate/fidogate/src/common/log.c,v
retrieving revision 4.21
retrieving revision 4.22
diff -u -b -I\$Id -r4.21 -r4.22
--- fidogate/src/common/log.c   16 Feb 2003 15:38:56 -0000      4.21
+++ fidogate/src/common/log.c   20 Aug 2004 21:21:39 -0000      4.22
@@ -280,8 +280,10 @@
     
     BUF_COPY(logprog, name);
 
+#if 0 /**NOT NEEDED AND SECURITY RISK**/
     if( (p = getenv("LOGFILE")) )
        log_file(p);
     if( (p = getenv("FIDOGATE_LOGFILE")) )
        log_file(p);
+#endif
 }

--- End Message ---
--- Begin Message --- 
Hello,

Thanks for reporting this bug. However, fidogate has been removed from the
Debian archive, so it no longer applies. It is being closed now.


Thijs

--- End Message ---

Reply via email to